This week I was speaking at the ISACA Nordic Conference in Oslo, where I shared my findings on security culture. I have uploaded my slides to Slideshare, and you can watch them here:
Unfortunately, Slideshare is not able to process Keynote files (the tool I use to make my presentations), so there are no presenter notes available. Therefore, I have attached them below, with slide-numbers (one being the first slide):
In this presentation, you will learn about the building blocks of security culture, and how to organize your security culture program to create success.
Why should we care about culture, you may ask. In leadership, here represented by Petter Stordalen, the Choice hotel chain owner, the realization that culture eats strategy for breakfast is the understanding that you can have the best of plans and the best of execution, but without an organizational structure and a common set of values, you will fail. Culture is the building blocks of society.
Security Culture – what are we talking about? Is this just another one of those marketing tricks? Another fancy name? Let us examine what security culture is. To do that, we need to understand what culture is.
The Oxford Dictionary defines culture as: The ideas, customs and social behavior of a particular people or society.
Take a moment and think about that. Ideas. Customs. Social behavior. Those are common things every individual shares. You have them – and I do too! And when we meet, we form groups that end up sharing some or all of those ideas, customs and social behaviors. Let us examine culture a little more!
Meet Green, Orange and Red. These are individuals as you can see, and they come with their own ideas, customs and behaviors – you can see Green is the positive, including guy, and Red is, well, on the other end of the scale.
We all know these people, don´t we?
Which one are you?
Here we have a group of people – they share the Orange values, they form a culture. This could be your work-group, your organization, your soccer team and even your country! They are all examples of groups of people, who together share a set of ideas, customs and social behaviors. In Norway, for example, we share the custom of enjoying Brown Cheese (brunost), which as far as I know, no other country does.
Now, let us introduce Red to this group. Red is, as we remember, the negative person who always gets in your way, looking for the worst, expecting a disaster in every project. The question becomes – will the group change Red? Or will Red change the group? Both are valid questions, and valid outcomes.
In the Orange group, however, we do not have a strong culture, which allows a stronger influence from one individual towards the group. And we see the Red ideas, customs and social behavior spread.
As we see here, Red is changing the group, by spreading the negativity, the pessimistic outlook. All that is needed is a group who is not focusing on building a strong culture to support itself. When someone new arrives, they are able to change the ideas, customs and social behavior of said group, and can create devastating results.
A result where other members of the group no longer want to be a part, and start leaving. What is left of your team, your department or your organization, is the negativity, the pessimistic outlook and the general consensus that nothing is possible, nothing can (or will) ever change. What is worse, is that this new culture will scare away possibly great additions to the team – or they will leave after only a very short time with the company.
Why should you care as a security officer, you may be wondering?
Remember the Insider Threat, so famously named because it is someone from within your organization who leaks your data, or who introduces malware? An organization, department or team with this negative culture is more likely to create an environment where the insider willingly starts exploiting the organization. And that, my friend, that is your problem!
Let us take a look at the definition of security, again according to the Oxford dict. Being secure, is the state of being free from danger or threat and/or the state of feeling safe, stable, and free from fear or anxiety
Using this definition, we can see how culture and security walks hand in hand – it is about individuals, people, and groups of people, and it is about creating an environment where people can be free from danger or threat, and where they can feel safe, stable and free from anxiety.
So I claim that your job is to make your colleagues feel safe, and free from fear – which means we should ditch FUD right away! It also mean you may have to reconsider how you do your job.
Many security officers I know, tend to act like Red by alienating their colleagues, by expecting employees to understand security, without ever trying to understand the employees real job. Over the years, the Red´s get disappointed by poor results, lack of support and becomes more and more negative and destructive – for himself, and for the organization.
Is this how you feel, perhaps?
So let us take a different approach. Let us introduce Green to a group, and see what happens! At first glance, this look so much happier, I can feel the warmth all the way here! How will this go?
Remember that Green is introduced to a group without a strong, supporting culture, so he is able to more easily change its ideas, customs and behaviors.
Just like negativity, being positive is contagious. Being optimistic and looking for solutions instead of problems helps yourself, your team and your organization realize there may be a way out of whatever challenge you are facing. And as this notion spreads…
…more and more people will join the new culture.
And as the culture grows, word is spread outside the organization too, attracting other individuals and groups with similar mindsets, with similar ideas, customs and social behavior. And you have created a magnet of positive attraction!
Why this matters to you as a security officer? Well, the insider threat have been reduced to the accidental incident of forgetting the Smartphone on Flytoget, a behavior that training and education can reduce – because this culture wants to learn, to grow, to succeed. This culture care about the group, and security becomes an integrated part of that culture. This groups social behavior allows it to build a better security through understanding why, by being motivated for success, and by caring for each other and the group!
So the question is: Which security officer do you want to be?
- The negative, destructive force that is Red?
- The indifferent, easily changeable Orange?
- Or the positive, secure Green?
Let´s choose the Green, and let us build great security culture!
Which brings us to the question – how do we define security culture? Using the Oxford definitions of Culture, and of Security, I have come up with this definition of security culture: The ideas, customs, and social behavior of a particular people or society, that helps them being free from danger or threat.
This in turn makes the job of the security team into the job of creating an environment that helps the group to being free from danger or threat. And we can do that by working with the ideas, customs and social behaviors of our team, department and organization.
So we can make our goal, our purpose, to transform this…
The good news is that we have already seen how culture can be transformed, and that should lead to the realization that we can curate that transformation. So let us do just that!
Let us see how we can create a security culture program. It may sound like a daunting task, I know. Done correctly, using readily available tools and resources, it can be done!
One such tool is the Security Culture Framework. The Security Culture Framework consists of four building blocks:
- Metrics, where you define a baseline, set your goals, and define your metrics;
- Organization, where you organize your security culture workgroup, define target audiences and build organizational wide support;
- Topics, which are the activities your choose to implement in order to reach your defined goals; and the
- Planner where you plan your efforts, your revisions and your metrics.
Four areas that needs to be covered, each fulfilling individual tasks, while being connected to each of the others. You cannot have one without the others, and expect results – which is why most awareness trainings fails – they would sort under the Topics part, while being an important element, it is unable to create lasting change without the support of the other three building blocks required to transform culture.
With a framework like the Security Culture Framework, we can get to work:
If you want to walk a thousand miles, you start with one step.
When building security culture, we have found that these steps are a great first step.
Setting up your team is where you build a security culture work group. You want to include the kind of expertise you are unlikely to have yourself – especially from HR (training and organizational knowledge), and from Marketing (creating the story+presenting it).
Together with your team, you define your goals, and decide how you know that you have reach them (or missed). You need to measure your current status too, so you know where you are. You will use the Current situation and compare it with the desired goal to make a GAP-analysis to help you determine which elements, topics and activities you will use in your security culture program.
Then you define your target audience. Again, here the marketing guys can help. Why, you may ask? Consider the differences between the IT-department and the sales people. They are quite different, right?
Then you start choosing the topic(s) you want to focus on (remember your goal), and activities that will support your message. Again, Marketing Dept.!
Plan your efforts – think of each effort as a campaign, make it last a limited time, which will allow you to measure before- and after-effects. Which is the next you do – measure, learn, change and do it all again!
Now that you know why culture matters in security, and how to organize your work, let me explain why you need to create a security culture program.
Culture is changing and evolving all the time. As we saw earlier, individuals impact culture, and culture impacts individuals. We need to run an on-going program to nurture and control the change we want.
Also, when so many security officers complain that their awareness trainings fail to yield results, one of the reasons is that they fail to see the need for a holistic approach, a program where a training is one part of the whole, not the Silver Bullet to solve it all!
So to create successful security culture, a positive one, driven by the Green, you need to nurture the culture. Make it support business, your job is to secure the business, right? Create both understanding and awareness, and a support structure where your colleagues knows what to do, and whom to turn to, when they make a mistake.
A security culture program is an on-going effort, one that never stops. We can say that security is built-in to culture, that culture is a security measure to create a stable, safe environment where we are free from threat. At least we shall consider that our goal!
And remember that every walk starts with one small step! You can do it too!
So the question remains: Which security officer do you want to be?
I know who I want to be!
Thank you very much! I will be available for questions this afternoon. You can also reach me on Twitter, and my blog.
Of course, you can buy some of my books too – they are on amazon.com!
These are some sources of information you can use to learn more about security culture, how to build and maintain it, and ideas of content.
Request me to speak at your next event!
Would you like me to speak about how to build and maintain security culture to your workgroup, at an event, or at a conference? Use this form to request my availability: