I don’t know if it’s one of those British things, but talking about ‘culture’ is something we do in a strangulated whisper, as though someone’s got their hands up our back squeezing the syllables out of us.
Using ‘Security Culture’ as the backbone to a business plan has – equally – been off the table. In its place, we’ve used euphemisms like ‘awareness’, ‘engagement’, ‘training’, ‘compliance’. Don’t get me wrong, all these terms are important to security culture, but they won’t be effective without security culture.
Because security culture is the way we demonstrate what matters to us through what we say and what we do on a daily basis. If we don’t care about security; if we don’t believe that it matters that each one of us protect our customers and data, then nothing else stands a chance of working – including threatening to sack people, or locking down systems!
All Change for Cyber Security
First there was physical security, and then came information security, and now cyber security. It’s taken a while to understand how to manage each of these distinct areas of concern but at a recent Infosecurity Europe panel (http://www.telegraph.co.uk/connect/better-business/cyber-security/strong-security-culture-engaged-employees/), industry experts agreed:
“Businesses that implement security culture with people at its heart – by encouraging engagement between leaders, security professionals and employees – are more likely to be protected from a cyber attack.”
Person-to-person communication about why security matters, and how to create strategies that are workable for employees are key to getting the security we need – it may be different from what we’ve done in the past, but talking rather than tech is definitely the way forward.
3 Reasons for Investing in Security Culture
1 – The Board reduces the risk of operational paralysis.
- People are the lynchpin – We may not like it, but that doesn’t make it any less true. If tech could solve the problem it would have done by now. If compliance could solve the problem we’d be racing for the finish post by now. People and their relationship to protecting the data they handle is at the very heart of cyber security, and security culture is the tool required to manage it.
2 – The Board increases customer confidence.
- “Culture eats strategy for breakfast” – this quote originally appeared in a TechCrunch article (http://techcrunch.com). It describes those moments when you just reuse your already overused password because you haven’t got the time to create a new one, or you email yourself business docs on your personal account because you need to work at home later, or you let the person without a visitor pass in because you’re not sure it’s up to you to stop them. If the security culture isn’t in place, the policy won’t hold – however many times you email it out.
3 – The Board reduces the risk of financial loss.
- Audits and insurance want to know about culture – it’s not just the Infosec experts telling us that security culture is where it’s at. Business security audits are increasingly investigating the emotional and practical engagement of employees with cyber security. Insurance companies are also beginning to see that effective cyber security cover requires evidence of a strong security culture in place, as a mitigating factor to the threat of cyber attack.
It’s time to talk about security culture
We’re hearing from more and more security professionals that they are now looking for clear and concise guidance on creating a compelling security culture change business case, with a higher than average chance of being seriously considered by the board. They tell us that they know the benefits of implementing security culture change far outweigh any alternatives for tackling the ‘human factor’, but they need clear messaging, great success stories, and a cast iron rationale for getting buy-in.
Building the case for security culture is something more and more businesses are starting to tackle. Join the Layer 8 webinar “Culture Eats Strategy for Breakfast” – Creating the business case for security culture to find out how to:
- Make your argument clearly for senior management.
- Demonstrate the cast iron rationale for developing a strong security culture.
- Switch on your human firewall.
- Set cultural goals and measure progress.
To register go to: http://bit.ly/2xhIC1V