What is security culture?
We can define security culture as culture that impact security in our organization, both in a positive and a negative way. With our modern dependence on technology and security, nobody would dare to make this statement. Everyone knows how crucial security is and how it must be embedded into everything an organization does.
A security culture is a part of the broader corporate culture that encourages employees to make decisions and fulfill their day-to-day duties in alignment with the organization’s security policies. By embedding security best practices in employees’ daily activities, you can reduce or even prevent cyber crimes.
From sociology, we know that culture is flexible and adaptive. This means that by using the right tools and measures, we can impact, change and foster a security culture the way we want it to be. It may take some time to change. Actually it depends on your gap between your current situation and your target situation.
Developing a Security Culture
An organization’s security culture requires care and feeding. It is not something that grows in a positive way organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
Creating and developing an effective security culture is very necessary component of protective security organisation. Moreover, it helps protect against a range of threats that could cause physical or financial damage to organisations. Security culture refers to the set of values, shared by everyone in an organisation that determine how people are expected to think about and approach security. Getting security culture right will help develop a security conscious workforce, and promote the desired security behaviors you want from staff.
Effective security culture
An effective security culture will provide many benefits, such as:
- A workforce that are more likely to be engaged with security issues
- Increased compliance with protective security measures
- Reduced risk of insider incidents
- Awareness of the most relevant security threats
- Employees are more likely to think and act in a security conscious manner
A strong security culture not only interacts with the day-to-day procedures, but also defines how security influences the things that your organization provides to others. Those offerings may be products, services, or solutions, but they must have security applied to all parts and pieces. A sustainable security culture is persistent. It is not a once-a-year event, but embedded in everything you do.
Many organisations want to embed an effective security culture where security is a collective responsibility shared by everyone in an organisation. Understanding what your current security culture is like, and how you would like it to be in the future is an important step towards shaping a culture that is fit for purpose.
Why does an organization need a security culture?
The primary answer is something that we all know. In any system, humans are always the weakest leak. Security culture is primarily for the humans, not for the computers. The computers do exactly what we tell them to do. The challenge is with the humans, who click on things they receive in email and believe what anyone tells them. The humans need a framework to understand what the right thing is for security. Generally, In order to do the right thing, humans within an organization just need to be taught.
Fortunately, there are things that can be done to make the culture better and no matter wherever an organization sits on the security culture spectrum.
Ways to develop a security culture
A sustainable security culture include four features:
- It is deliberate and disruptive: The primary goal of a security culture is to foster change and better security. So it must be disruptive to the organization and deliberate with a set of actions to make the change.
- Rewarding: It is rewarding. People need to understand what they will get in return, when they invest their time and effort.
- It is engaging and fun: Actually, people want to participate in a security culture that is enjoyable and a challenge.
- Providing a return on investment: The reason anyone does security is to improve an offering and lower vulnerabilities. So, we must return a multiple of the effort invested.
Now let us share some tips that will help you increase security awareness. Moreover, they will help you create a strong cyber security culture in your organization.
1. Focus on the concept that security belongs to everyone
Security belongs to everyone. Everyone owns a piece of the company’s security solution and security culture. Many organizations have the opinion that the security department is responsible for security. Sustainable security culture needs that everyone in the organization is all in. Everyone must feel like a security person. This is security culture for everyone.
You can achieve this “all in” mentality by combining security at the highest levels into your vision and mission. People look to these things to understand what they should focus on. Update your vision or organizational objective to clearly articulate that security is non-negotiable. Speak about the importance of security from the highest levels. This does not mean just the people who have security in their title (CISO, CSO), but also from other C-level executives all the way down to individual managers.
2. Get a secure development lifecycle
Secure development lifecycle is the process and activities that your organization agrees to perform for each software or system release. An SDL is foundational to sustainable security culture. It includes things like security requirements, threat modeling, and security testing activities.
Customers across industries are starting to demand the crazy idea that organizations have an SDL and follow it. If you do not have an SDL at this juncture, Microsoft has released most of the details about its SDL free of charge. The lineage of many industry SDL programs traces back to the Microsoft program.
A reasonable place for the SDL to live is within a product security office. If you do not have a product security office, think seriously about investing in one. This office sits within engineering and provides central resources to extend the pieces of your security culture.
3. Focus on awareness
Security awareness means that you should teach your entire team the basic lessons about security. You must measure each person’s ability to judge threats before asking them to understand the depth of the threats. Security awareness has gotten a bad rap because of the mechanisms used to deliver it. Posters and in-person reviews can be boring, but they do not have to be. You should add some creativity into your awareness efforts. Moreover, you should introduce statistics about hackers, hacking, and phishing.
Generally, awareness is a need for application security knowledge. Application security awareness is for the developers and testers within the organization. In your organization, they may sit within IT, or they may be the engineering function. AppSec awareness is teaching the more advanced lessons that staff need to know to build secure products and services.
Bad things are going to happen to your organization, and many times they will be tied directly to a security problem. So try to develop your security culture. Do not try to hide them, but instead use them as an example for how the team can get better.
4. Reward those who support a culture of security
One of the rewards can be security advancement. It will provide opportunities for team members to grow into a dedicated security role through advancement.
Make security a career choice within your organization. Put your money where your mouth is. If you say security is important, prove it by providing growth potential for those with a passion for security. Actually, you should look for opportunities to celebrate success. When someone goes through the essential security awareness program and completes it successfully, give them a high-five or something more considerable.
I also recommend encouraging managers to recognize team member who helped detect a problem, either in an email or at a corporate meeting. This demonstrates to everyone else that they are welcome to do the same because cyber security is important for the company.
5. Make security fun and engaging
In order to develop sustainable security culture, build fun and engagement into all the process parts. Actually, for many years people have associated security with boring training or someone saying no all the time. If you have specific security training, make sure that it is not boring. If you engage your community through events, do not be afraid to laugh. The frequency of training depends on your needs and your employees’ learning curve. Often organizations require employees to refresh their knowledge of security rules by passing brief tests every 3–6 months or so.
Be sure to teach employees based on their talent and ability. Consider their department and other group, level of responsibility, prior knowledge, what data they have access to, and which tools they are using. For instance, people who don’t have access to customer databases don’t need training about how to work with them securely. Using examples of how employees in your company have violated policy in the past and what happened to them might also be effective. However, showing that cyber threats are closer than one may think is a good way to encourage employees to follow security policies.
6. Build security community
The cornerstone of sustainable security culture is the security community. Community provides the connections between people across the organization. Security community assists in bringing everyone together against the common problem.
You can build security community by understanding the different security interest levels within the organization: advocates, the security aware, and sponsors. Security advocates are those people with a down-home passion for making things secure. These are the leaders within your community. The security aware are not as passionate as advocates but they realize they need to contribute to make security better. The sponsors are those from management who help to make the security direction. So here you should gather all of them together into a special interest group focused on security.
This can make a weekly or monthly meetings to discuss the latest security issues. Also, it can even become a yearly conference, where the best and brightest from the organization have a chance to share their knowledge and skills on a big stage.
Building a strong security culture takes work, but it is undoubtedly the right path. Many organizations are already working on making this cultural shift. Because they recognize they must approach information security with the same level of engagement and responsibility as financial and other risks.
Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time. With the right process and attitude, you’ll get there.