What are the building blocks of security culture?
In order to understand how to create security culture, it is important to know what it is and how we define it, so that we can look beyond the basics.
Taking into consideration the Oxford Dictionary definition of culture, we may define security culture as “behavior, thoughts and practices that impact security in a positive or negative way, and that are common for a group of people or an organization.”
The culture part of that definition is about people – their behavior, thoughts and practices. The security side of the definition is how said behavior impact the security – positively or negatively. Your organisation’s risk matrix and risk acceptance level will help you determine to what extent your current security culture is good or bad.
After working on establishing security culture in organizations around the world, I have found that there are three vital parts / prerequisites needed for creating and maintaining good security culture.
The first part of the puzzle is technology. In order to create security culture, you need security technology. This includes all the basics like firewalls, antivirus, VPNs, access management and so forth. Equally important is to remember that the technology should be supporting the employees in doing their jobs – which means there will be trade-offs between security and usability. Another important point about technology is that it should support and enforce the next part of the puzzle: your policies and regulations.
These are all the rules you put in place – either by writing them down or by sharing them orally – to set up the boundaries of acceptable actions your users can and should perform. One thing to keep in mind is that policies are worthless if they come without incentives. If there is no defined and explained reason to adhere to the rule, the possibility that people won’t do it is great. Also, the policies should be clear and make sense to everyone that has to follow them.
As noted above, technology can and should be used to enforce the policies. By that I do not mean that you should use technology to spy on your employees so you can catch them doing something wrong. What I mean is that technology should be implemented in such a way that it helps the user get the policies right, and that it makes it easier to adhere to the policies than not to.
Take password policies for example. You write them down, distribute the text, and then you expect people to change passwords every X day. We both know that very few do so, unless you also implement reminders before the due time, and lock users out if the haven’t changed the password and until they do so. Try to use technology to enhance your policies just like you do with passwords. It makes it easier for the user to follow the rules, and it also makes your job easier.
We all have a large amount of policies we have to adhere to. Some make sense, others do not (or are not easy to understand), and that brings us to the third part of the puzzle: competence.
We all know that when we are presented with something new and we do not have the knowledge of how to use it, we can be neither effective nor fault-free in our dealing with the tech. There is a reason military forces spend a large amount of time working and training with the tools and weapons that are used in combat. If they don´t, they won’t know hot to use them when the time comes, and they are less likely to get out alive.
Soldiers also have rules on how to use those tools and weapons, what to do in specific situations, and whose orders to listen. You can think of these as policies. They combine technology, rules on how to use it, and competence on both the technology and the rules.
Why do we think we do not need all three components when it comes to corporate security culture? We expect our employees to use the technology with a minimum of training, to actually understand and pay attention to all the policies and regulations we put in place, and all that with a bare minimum of security training.
Instead, we should incorporate training designed to work in our organization – on all levels. The training should be adapted to our needs, risk acceptance level, and current and target security behavior. That means we have to learn how to adopt a holistic approach to security culture, and not to rely just on the yearly mandatory phishing training we send employees out for, knowing in advance that the results will be poor.