Security culture is a fascinating subject deserving of more coverage. Last month’s KuppingerCole European Identity Conference (EIC) had Cybersecurity Leadership as one of its themes. And Thom Langford, from Publicis Groupe, made the connection.
Source: https://securitycultureframework.net
“That should be the CISO’s paramount goal. Security culture persists longer than strategy and gets a lot work done for you, helps you have credibility. People self-discipline rather than having to be disciplined. The key is to stop treating people as if they are stupid. Instead, treat them as the heroes of the business.“
Paraphrasing Thom’s tips:
- Engagement: Engage with stakeholders, be more open. Take an opportunity to thank them whenever something good happens.
- Risk management: Don’t say “no,” say “risk.” Ask if or why we should accept or mitigate the risk. Say “here are the options.”
- Awareness: Stop selling, start marketing – create the security culture not just at the top, but at the water cooler. Use awareness tools (stickers on bottles at events just to say we’re here).
Practitioner’s tip: Paul Simmonds (former Astra Zeneca CISO) told me later that he used to have 95 staff members and would never approve a travel expense without demanding evidence of at least a half day spent promoting awareness in the field.
My take: I couldn’t agree more with Thom and Paul. But although Langford did point us to a cool video satirizing the seedy world of corporate risk acceptance (a must watch for the LOLs) this gets us no closer to security culture building.
Finding out How
The concept of “security culture” sounded so right and true – but how to create one? At first Google searches turned up little detail. But persistence pays off. Eventually I found a whole IT security community built around culture. The security culture framework website contains a fair amount of detail on how to “do” culture and seems to offer much more at a reasonable cost.
The Security Culture Framework
From far in the North – Norway – the security culture framework consists of four modules, each containing processes or disciplines for establishing the security culture. Elements of each module clearly interact with elements of the others. The modules, and what the framework description says about them, are:
- Metrics: “A process for defining current as-is state, target to-be state, perform gap analysis, define milestones for the journey and SMART (Specific, Measurable, Attainable, Realistic and Time-Bound) result goals.” Thus, it seems that the metrics module uses metrics both for overall assessment of culture (or awareness) and for measuring progress on specific goals.
- Organization: “In this module, you are figuring out who to involve in organizing and running your security culture program as well as spending time defining different target audiences.” The framework describes this module as also covering topics such as defining target audiences, tailoring the message, and involving and incentivizing security ambassadors, or champions. It also makes an interesting assertion: the HR department is a key stakeholder in security culture efforts because it usually a lot of experience in understanding people and their resistance to change and how to watch for and manage any issues. Not to mention discussions of building security responsibilities into policies, job descriptions and incentives.
- Topics: “The Topics module is used to determine which topics to train in order to reach your targets. There are a large numbers of different topics to train to successfully create security culture, from technical areas, via passwords, policies and legalities, to how to discover social engineering attacks.”
- Planner: The Framework suggests using elements of this module to “Define the timeframe for the campaign; Set up activities and instruments based on target groups; Create timeline(s) for the different activities…the metrics that will be used and [milestones and data collection methods and timeline for revisions].”
The site suggests practitioners should use the framework for its simplicity, adaptability to leverage existing awareness content and the supporting community of existing users. The framework also has a certification program for consultants, and an internal training program enabling organizations to train a group to carry out a security culture campaign.
Conference: If you’re already in Northern Europe, urgently need to get moving on a security culture project, or just want to tour Norway the Security Culture Conference 2016 is coming up in just two weeks.
The post How to Establish a Security Culture appeared first on Security Architects Partners.