7 security culture strengtheners

Given research indicating that security culture trumps security policies, how can we strengthen the corporate security culture?

Here are a few ideas to set you thinking:

1. First, understand what 'strengthen the security culture' actually means. Think about that. It's not exactly obvious, is it? Before attempting to fix any supposed issue, it helps to know what the issue really is and have a clue about what 'fixed' looks like. So, what are the defining characteristics of a strong, effective security culture? Conversely, what are the symptoms of a weak/ineffective one? If your corporate security culture was somehow strengthened, what would actually change, and what outcomes would you expect?
   
   Hinson tip: this is a good topic for corporate workshops/studies, concerning the high and low points of the organisation's security culture. For example, if ignorance of information risk is acknowledged to be a weakness, that is a focal point, something fairly specific and measurable that can be proactively targeted to strengthen the culture. As to the high points (existing cultural strengths), read on ...
   
   
2. To strengthen culture, exploit culture. Address teams, groups, departments or entire organisations, collectively, rather than each worker, individually. There are local, national, corporate and industry norms to consider. 'We're all in this together' has leverage, at least for those of us who are community-spirited, while even selfish egocentrics should appreciate that their income relates to the organisation's overall success as much as their individual performance. If the organisation flounders, jobs will be lost and times will be hard, whereas if it thrives, everyone benefits. Don't let the side down!
   
   Hinson tip: with a little creative thinking, teamworking opportunities abound, such as: incident response (working together to diagnose and address security issues); security exercises (stronger members of the community helping/guiding the weaker ones); developing better security procedures and tools (see #6).
   
   
3. Draw upon strong, charismatic leaders. Although 'the tone at the top' is commonly mentioned in this context, influencing leaders is, if anything, even more challenging than influencing workers in general, taking us back to the original issue. 
   
   Hinson tip: get the Big Boss on-board and the rest will follow. Even something as simple as a statement of personal support and concern about information security from the CEO/President is curiously motivating - perhaps because ignoring or resisting such a move can be career-limiting. 
   
   
4. Exploit management's culture. Yes, that's hard too! The idea here is to seed positive security messages among managers at all levels, hoping that they percolate and reinforce each other.
   
   Hinson tip: management's overt focus on 'the business' is an obvious point of common interest and leverage. Demonstrating how information risk and security management supports and enables the organisation to achieve its business objectives can be a powerful approach. Work hard on those business cases! Learn business-speak!
   
   
5. Address human biases/prejudices. We already do this to some extent, for example hackers are commonly portrayed as malicious foreigners, exploiting workers' xenophobia. Some biases are distinctly unhelpful, however, such as the reluctance to address very low probability but high impact incidents, claiming "That'll never happen ... and even if it does, we're stuffed anyway!"
   
   Hinson tip: celebrate success! Aside from enforcing compliance by identifying and punishing non-compliance, reinforcing compliance is a complementary motivational approach. For example, encourage reporting of information security incidents, events and near-misses by responding positively to the reports and thanking the reporters. Share the good news about incidents that were averted or mitigated because someone spotted and reported them in time. Plot the lag time and find ways to reward improvements.
   
   
6. Be 'part of the team'. Specify, design, develop/capture and prove/improve information security approaches collaboratively, making good use of the skills and knowledge of those involved. 
   
   Hinson tip: there is tremendous potential in various forms of collaborative working. Security-related procedures, for instance, must be pragmatic, given operational constraints, limited resources and conflicting priorities. Developing workable approaches, guidelines and (where appropriate) automation implies the involvement of practitioners as well as experts in the development process. There's more to this than collaborative documentation.
   
   
7. Play the devil's advocate. Openly encourage management to accept substantial information risks ... on condition that, on behalf of the business, they explicitly accept personal accountability for doing so. This strategy turns the problem on its head with a subtle and counterintuitive yet powerful effect, provided 'accountability' holds weight and the team pulls together (e.g. applying peer-pressure to managers who are patently out-of-line in terms of their risk appetite).
   
   Hinson tip: the provisos imply the need to lay certain foundations before embarking on this approach, such as ensuring genuine understanding of 'accountability', 'responsibility' and other governance or management concepts. This is an advanced technique, probably too risky for immature organisations.
   
   
8. Free bonus!  I'm certain there are other viable approaches including ideas borrowed from well-established fields. In aviation, for instance, the safety and security culture extends across the entire global industry, with a variety of mechanisms in place to facilitate that.
   
   Bonus tip: sharing good practices and learning from incidents and near-misses experienced by peers supports the industry as a whole, despite commercial competition. What are you doing along these lines? Evidently you've made the time to peruse this missive but have you discovered the ISO27k Forum yet? How about ISSA and ISACA? Infragard? Infosec conferences and trade shows? Infosec hangouts? Care to comment below?

Notice how the 7+ approaches support each other - they are complementary rather than alternatives. Doing all of them together would stretch the resources pretty thin, however, so strategise and plan carefully.  Focus on driving just one to get things going, then once the speedo picks up, change gear and press ahead.