A 2-phase approach to bolster the security culture
Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization.
The new awareness module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors.
During September, we developed a two-phased approach:
- Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top, the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, as illustrated by the Enron, Sony and Equifax incidents.
- With management support in the bag, the next task is to persuade workers in general to participate actively in the organization's information security arrangements. Aside from directly appealing to staff on a personal level, we enlist the help of professionals and specialists since they too are a powerful influence on the organization - including management.
October's awareness materials follow hot on the heels of the revised Information Security 101 module delivered in September. That set the scene, positioning information security as an essential part of modern business. Future modules will expand on different aspects, each one reinforcing the fundamentals ... which is part of the process of enhancing the security culture. Consistency is key, along with repetition. The trick, though, is for the awareness program to maintain interest levels, hence simply saying the same thing over and over is counterproductive: people soon tune-out and glaze-over.
Another factor to take into account is that changing the culture inevitably takes time. Lots of time. This is a s l o w process. We've provided a survey form with a strong hint that the security culture should be measured on an ongoing basis since improvements may not be immediately obvious. The awareness effort may appear to have been wasted unless changes can be demonstrated through suitable metrics. There's another more subtle purpose to the survey though, getting management to determine what's sufficiently important to be worth surveying. There's value in the process of designing the metric, as well as the survey results - a little bonus.
That's it, October's module is done and dusted. So what next?
With just six months from November until GDPR comes into force, we will be revising the privacy module to help subscribers pave the way through awareness. Once again, November's materials will build upon the same foundations, boosting understanding in the privacy area specifically while gently maintaining the undercurrent of information risk, security and compliance in general.
Right now, I have a more immediate goal in mind. After a month's hard work and the weekend's tech nightmare, I think we've earned ourselves lunch in town.