Cultured security
Aside from concerning the attitudes and values shared within groups, or its use in microbiology (!), there's another meaning of 'culture' relating to being suave and sophisticated.
In the information risk and security context, it's about both being and appearing professional, exuding competence and quality - and that can be quite important if you consider the alternative.
Given the choice, would you be happy interacting and doing business with an organization that is, or appears to be, uncultured - crude, slapdash, unreliable etc.? Or would you be somewhat reluctant to trust them?
There are some obvious examples in the news headlines most weeks: any organization that suffers a major privacy breach, hack, ransomware or other incident comes across as a victim and arguably perhaps culpable for the situation. It's hardly a glowing endorsement of their information risk, security, privacy and compliance arrangements! Contrast their position against the majority of organizations, particularly the banks that exude trustworthiness. Corporate cultures, brands and reputations are bound strongly together.
The two meanings of 'culture' are linked in the sense that the overall impression an organization portrays is the combination of many individual factors or elements. Through marketing, advertising and promotions, public relations, social media etc., management naturally strives to present a polished, impressive, business-like, trustworthy external corporate image, but has limited control over all the day-to-day goings on. Myriad interactions between workers and the outside world are largely independent, driven by the individuals, individually, and by the corporate culture as a whole.
Management may try to control the latter, espousing 'corporate values' through motivational speeches and posters, but in most organizations it's like herding cats or plaiting fog. Much like managing change, managing the corporate culture is a tough challenge in practice. Realistically, the best management can hope for is to influence things in the right direction, perhaps rounding-off the sharpest corners and presenting a more consistently positive front.
I'm talking here about the organization's integrity, one of the three central information properties alongside confidentiality and availability. Protecting, enhancing and exploiting the organization's culture is a core issue for information security, one that includes but extends well beyond the very limited domain of cybersecurity.
That in turn makes 'security culture' a valuable topic for the security awareness program, and makes the program a valuable part of running the business. The awareness materials and activities are not just meant to inform and influence individuals one-by-one, but to mold the overall corporate culture in a more generalized way. We're not just addressing 'users', computer systems, networks and apps. An effective awareness program deliberately envelopes everyone in all parts and at all levels of the organization.
The awareness stream aimed at management will be particularly important in October's module. Our intention is to convince managers that:
- Although they may never have considered it before, the corporate security culture really matters to the organization - it's very much a business issue;
- While culture is largely an emergent property of dynamic social groups and interactions, it can be influenced, if not actually controlled, through sustained and deliberate actions - it's a strategic business issue;
- The security awareness program is a viable and valuable mechanism to influence the corporate security culture;
- Managers themselves are part of the strategic approach e.g. not merely mandating staff compliance with security and privacy rules through directives, policies and procedures, but walking-the-talk, demonstrating their personal concerns and proactively supporting information risk, security, privacy, compliance etc. - in other words showing leadership.