As an information security professional, one of the most important areas that I invest in when working for an organization is building the corporate security culture. The culture begins with you: be transparent, be passionate about security, speak about the security initiatives at company meetings or provide recurring security awareness talks at lunch.
The grass-roots bottom-up approach needs to be coupled with increased focus on executives. Getting their support and buy-in is absolutely critical. If the CEO does not have a strong password, then why should anyone else in the company? If the CEO does not take time to do the security awareness training, why should anyone else? Show me a company with a CEO that takes information security seriously and I’ll show you a company with a strong security culture.
To build a strong security culture, you need to break the stereotype. The stereotypical security staffer is a negative cynic (with questionable hygiene) that no one really wants to talk to and people go out of their way to avoid (and security people keep complaining about not being invited to the discussion table). The key takeaway is that if you keep acting like a stereotype, your security culture will get ugly fast…just like a Taylor Swift relationship.
When one of your colleagues clicks on a phishing link, you need to be positive and humble (I realize that is incredibly difficult for most people in IT security). How many of you have been condescending to employees or muttered under your breath that they were stupid for clicking a link. Treat employee mistakes as educational moments and your security culture will improve for the better.
Utilizing security awareness as a core foundational block of your company culture will help to develop a more resilient workforce with strong collective awareness. Take the time to explain and educate. A message resonates when you take the time to explain something to employees rather than admonish them or send out blanket reminder emails that no one reads.
Taking time to explain the “why” in your security policies and developing policies collectively encourages a shared sense of ownership, and your colleagues are more likely to abide by rules they helped to create than rules that were rammed down their throats. This lends itself to a self-realization that security is the responsibility of the many, not the few (cue the enlightenment music).
Barely 1% of security budgets are allocated to security awareness, yet 94% of breaches involved some sort of incidental/accidental “human interaction.” Even incrementally investing in your people would pay dividends!
If you don’t think that culture is important, a recent report about the watershed data breach at Office Performance Management (OPM) should change your mind:
“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology.”
It was breakdowns in the people and process aspects of security that led to this breach, NOT the technology. The report also mentioned that “As OPM discovered in April 2015, tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.”
The headline of the article that posted the report read “Insufficient Investment in Culture Yields Inconsistent Results”. That has to be the understatement of the century (right up there with when Donald Trump speaks without thinking!)
Remember culture trumps everything.