People often discuss the importance of a strong security culture but fail to define what they mean by security culture, and even more importantly, why is it so important, what is the value culture to an organization’s mission? Culture is defined as peoples shared attitudes, perceptions and beliefs. A common metaphor is comparing culture to an iceberg. Like an iceberg, culture is hard to see as most of it is hidden. Like an iceberg, culture is also hard to move. There are decades of research on organizational culture with which we can build on, one of my favorite culture frameworks to start with is the Culture Factor published in the Harvard Business Review.
Image from People Centric Security, by Dr. Lance Hayden
A security culture would be your workforce’s shared attitudes, perceptions and beliefs towards cybersecurity. The biggest drivers of your security culture are often your security policies and how your security team communicates, enables and enforces those policies. If you have relatively easy to follow, common sense policies communicated by an engaging and supportive security team, you will have a strong security culture. If you have complex, overwhelming or intimidating security policies communicated and enforced by an arrogant, punitive or fear-focused security team you will have a weak or perhaps even toxic security culture. Not sure what you have? Here are some of the most common indicators of a strong security culture . . .
- People feel safe reporting incidents, even if they caused it
- People include security as part of their job description
- Employees correct and help their coworkers to be more secure
- A shared belief that security plays a strong role in your organization’s success
- People feel comfortable asking your security team questions
- Frequent requests for trainings or briefings on security, or ask security to become involved in projects early on
If you really want to understand your security culture one of the best measurement methods is a security culture survey. But more importantly, why focus on a strong security culture? Why spend time understanding, building and measuring something as nebulous as this? Two reasons - the first one is obvious, but the other one perhaps not so often considered.
1. Secure Workforce: The stronger your security culture is, the more likely your workforce will exhibit secure behaviors, and as a result your organization will be far more secure. This is critical in today’s environment. The 2021 Verizon DBIR identified people were involved in over 85% of all breaches globally. The human element is a risk every organization needs to be actively managing, and a strong security culture creates a safe environment for that to happen.
2. Successful Security Initiatives: This is a value many people do not consider or overlook. Think about the many different security initiatives your organization has rolled out, initiatives such as a Vulnerability Management program with IT Operations, DevSecOps training for your Developers, Cloud migration or perhaps a MDM or Password Manager roll-out for your entire workforce. Now think about how many of those security initiatives have failed, stalled or only been partially successful. Now think about WHY? Was it because of the technology selected, or was it because of a breakdown in communications, coordination or partnership between security and other departments?
Perhaps one group did not understand the value of what was being asked of them, or did not understand their goals or responsibilities? Did the Vulnerability Management initiative fail because of the product selected, or because IT Operations does not trust and were fed up with the security team constantly causing problems with operations? Did the DevSecOps program fail because of the automated security tools selected, or because Developers were tired of the security team constantly pointing problems and issues but never providing any solutions? Did the Password Manager roll-out fail because of the vendor selected, or because the security team failed to explain WHY the workforce should be excited about the solution? Far too often security initiatives fail not because of technology but because of people issues like trust and communication. A strong security culture bridges these gaps, helping ensure your security initiatives are far more likely to succeed, regardless of the technology you use.
If you are interested in learning more about Security Culture, consider the SANS five-day course MGT521 Security Culture for Leaders.
ABOUT THE AUTHOR
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture and awareness training and is a SANS Senior Instructor. He helped pioneer the fields of deception and cyber
intelligence with his creation of honeynets and founding of The Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries, and helped over 350 organizations build awareness programs to manage their human risk. He is also on the Board of Advisors for Attivo Networks. Lance is the author and an instructor for MGT433: Managing Human Risk: Mature Security Awareness Programs, and MGT521: Leading Cybersecurity Change: Building A Security-Based Culture, and built the SANS Security Awareness business unit from the ground up over the past 10 years. With the catalyst of COVID-19, Lance created multiple resources for securing humans from home, from those working remotely for the first time or managing newly remote teams, to children learning and playing online. Learn more about Lance here.