Earlier this week, I was approached by a colleague to explore how to successfully shift security culture; more pressing was the need to measure it. As building an effective and measurable security culture increases in importance, the approach we take determines our success.
In the business setting, culture is the way people (colleagues) think, behave, and work. When seeking to develop a culture of security, it traditionally means integrating individual responsibility for protecting systems and information into the expected course of behavior.
In addition to the challenge of figuring out how to transform the culture to include security is the slightly-easier need to measure it.
I suggest starting with some basic measurements when embarking on a program like this. It not only serves to form the baseline, but done properly, reveals the pathway to systematically introduce the elements people are ready for (or need) that produce the best value for individuals and the organization.
That means the program is more likely to succeed.
Key considerations to creating a culture of security
Most of the leaders I speak with about shaping security culture start with the assumption that it necessarily means the current state is unacceptable and requires wholesale change. Often, that doesn't hold as true as it seems. Sometimes it just takes a clear vision, open communication, and the training people need/seek.
Instead of starting with preconceived notions of what is or what should be, focus on:
- Connecting people to value: their own, as well as the value of others, the business, and how security helps protect what's important
- Context: finding a shared understanding of the current culture
- Conversation: listening and learning before telling, building relationships that guide and improve the overall cultural evolution
Place emphasis on demonstrating what is expected. Provide people insights and opportunities to gain the experience for what they can and should do. This is more effective than telling people what they should do because a policy exists.
The role of measurement to build the culture
Focus on progress over perfection. To that end, measuring the baseline, changes, and using those measurements to inform next steps is important.
For metrics to be successful, they need to be:
For some, this is a bit scary, since it often reveals where things need improvement (read here). That's precisely the reason to engage. When considering how to measure what matters -- keep in mind that what matters to security is what matters to the business.
Use the measurements to inform the core elements of the:
- Problem/opportunity for improvement by seeking evidence that documents and ideally describes the real challenge
- Solution; must answer two questions
- what is the expected outcome
- how is the solution (the change) evidenced
- How is it evidenced - and what method, frequency, effort and value of the various metrics program
Some additional reading on measurement:
- Getting over the fear of measuring what matters
- 3 steps to measure what matters in any situation
- Include these 3 essential elements to measure what matters
Getting started in measuring the culture
Most people undertake "security awareness" in an effort to promote a culture of security. It's a good starting point, but generally only works when using the right definition of awareness (check it here) and designing the process/system for the single outcome: people report suspected incidents (read why here).
This matters because it is the first step in guiding a change in behaviors and actions. Since the expected action is to report suspected incidents, the process of measuring is a bit easier.
The initial outcomes to measure as a sound starting point include measuring how many people engage/report on suspected incidents? This basically requires two things:
- Method to showcase potential incidents so people build awareness
- Insight into the incident REPORTING (not response) process
It's the first step toward giving people a voice and a method to take responsibility. Additional elements for insight:
- How many incidents are reported (no distinction of how): this is a good trend to capture; keep in mind that some things are cyclical by business, by nature, or the like - focus on capturing the story that explains the trend
- How many people are using the incident reporting process (if one exists): this provides insight into the efficacy of the current process and signals improvement opportunities
- What type of incidents are reported: this is interesting to figure out what people are spotting, where they have natural interests, and what is happening in the network.
- How many reported incidents merit action: this is a reasonable indicator of how effective people are at spotting actual incidents versus exercising and coming to terms with a newly found awareness (and sometimes hyper-awareness)
Why these measurements help create a stronger culture
Capturing a broad measure of how the incident reporting process functions creates the opportunity to consider trends and patterns.
Minimally, it provides evidence of what people see and do (even if the action is as simple as reporting to someone else). Ultimately, the insights gained from the measurements direct the activities of highest value, including:
- Improvement of incident reporting: keep improving the process for better compliance and usage
- Better awareness programming to shape what people look for and report
- Training opportunities for people interested in taking personal responsibility (and reducing the reliance on security for more commonplace tasks)
As an added benefit, the same measurements feed improvement of the cycle of prevention, detection, and response. It's evidence and context to reveal the blind spots and make necessary adjustments (read more here).
Getting started on building the right security culture for you
The right security culture is one built on listening and guiding actions of mutual benefit through communication in context. The key is to get started and keep it simple.
While many of us have years of experience and insights into myriads of security challenges, they aren't usually the right starting place. Instead, put faith in people and seek first to understand the current culture and capture evidence to guide where it makes sense to improve.
A solid first step is to make sure the incident REPORTING process (before even worrying about security awareness) is working. Extend people a voice and build the confidence in using it. That becomes a valuable conduit into what people see and do.
People comprise the culture. By connecting people to the value of security (in a shared context), the culture evolves naturally and successfully to one that protects information.