Lushin Premji

Editor's Note: Lushin Premji manages the awareness program at Thomson Reuters. He is one of the speakers for the upcoming Security Awareness Summit 6/7 December in London. Below he gives an overview of his upcoming talk on Measuring Your Security Culture.

Security culture in an organisation is priceless. A strong security culture will create an environment where employees behave in a secure manner regardless if management are watching or not. But how exactly do you start that journey to get to your desired security culture?

Measure, measure and measure.

Measuring your security culture should be the starting point for any security professional who wants to reduce information security incidents caused by human error in their organisation.  At a minimum it also enables organisations to:

  • Identify their current security culture and gauge how far they are from their desired security culture
  • Identify departments/business areas with a poor security culture
  • Show ROI from any security culture and awareness efforts
  • Create a tailored security culture and awareness program

However, many organisations are using poor short cuts such as phishing tests or eLearning scores to try to measure their security culture. These organisations (clearly!) do not know where to start when trying to measure the invisible concept: ‘culture’.  But fear not, I can help! I work at Thomson Reuters and look after their security culture and awareness efforts where metrics are baked into everything that we do. I will share my knowledge about all things to do with metrics and security culture. You will walk away learning (at a minimum) the following:

  1. What is security culture and what is security awareness
  2. How to use both surveys and focus groups effectively to measure your security culture
  3. How you can structure and use the output of effective security culture metrics to:
  • Identify departments/business areas with a poor security culture
  • Show ROI from any security culture and awareness efforts
  • Create a tailored security culture and awareness program

I hope you can join us for a fantastic event in London 6/7 Dec.

BioLushin, currently manages Thomson Reuters information security culture and awareness program over 150 countries. Before taking his role at Thomson Reuters, Lushin was a founder of the security culture and awareness capability at PricewaterhouseCoopers. At PricewaterhouseCoopers he was able to build an award winning information security culture capability and deliver wide ranging information security culture projects to global clients.