Taking the pulse of your information security culture

security culture
Gerd Altmann

Anyone who has been a manager in a company of a reasonable size understands the concept of corporate culture. Investopedia refers to corporate culture as "the beliefs and behaviors that determine how a company's employees and management interact and handle outside business transactions." It is a pretty important concept if you want a thriving organization. To give you an idea of the importance I place on cultural fit, anyone I seriously considered for a position in the past 12 years had to complete a cultural fit study before they ever got to the technical aspect of the interview process.

In recent months, the concept of a corporate security culture has been discussed. As ISACA puts it, corporate security culture determines what an organization does about security, as opposed to what it intends to do. Given that some are now referring to employees as "human firewalls," the idea of each employee doing what the company says they do regarding security is all too important.

As an example, much of the ransomware being spread today begins with an employee opening a .zip attachment to a spam email. Virtually every organization with a formal security policy prohibits the opening of .zip attachments to email, but in the absence of a supporting culture, the protections break down.

The lack of a solid company security can have disastrous consequences. IBM in its 2014 Cyber Security Intelligence Index reported that 95% of all security incidents involved employee error. The problem is not just errors, however -- MarketWatch reported last week that 1 in 5 employees would be willing to sell their password for the right price. While I find such studies to be a bit dubious, I am confident this number is greater than zero. It only takes one compromised password to breach an organization.

Admittedly, the concept of security culture is somewhat nebulous. With corporate culture, we have learned over the years how to foster it, and what would kill it. Security culture, being a much newer idea, is harder to grasp. As such, it may be best to ignore the idea for the time being, and focus on encouraging employee involvement in security. The culture can then develop itself.

So, how do you foster employee involvement in the hopes of building such a culture?  Here are some basic ideas:

Begin at employment

I mentioned earlier in this article that I was a big believer in cultural fit testing prior to employment. I think the same approach applies to security. We can all be asking questions of prospects in advance of employment to get an idea of how they would deal with security. We can ask technical questions about their security knowledge, or behavioral questions to help figure out how they have dealt with such issues in their past.

Start from the top

Security culture begins at the top, with the CEO or head of the company. This person must model good security practices themselves, and speak sincerely about it at every opportunity. I have been involved in many an all-hands meeting where the CEO attempted to speak sincerely on a topic while reading to a script created by marketing. It is pretty easy for the employees to see right through this. The company head must understand enough about security to really speak about it.

Every manager a leader

As with the CEO, every manager must live and model good security practice. Their involvement must go deeper, however. Those of us in the IT "glass house" understand how to apply security practice to the organization as a whole. What we often cannot judge effectively, however, is how to apply this to the day-to-day operations of a particular department. A manager with strong training can help we IT folks understand how to apply security to their own function. If IT cooperates, the manager will have a much easier time selling participation to the department members, and security practices will be less disruptive to the business.

Survey the workforce

Early in my career, I worked for IBM in Florida, blocks away from the birthplace of the IBM PC. Every year, IBM would conduct a detailed employee opinion and satisfaction survey for each site, and then would make visible changes to the operation based on employee feedback. If they ever suspected that the culture at a site was not thriving, they would immediately do an ad hoc survey to figure out why.

We can do the same thing with security, by periodically asking employees about their security knowledge, opinions and practices. That is the easy part. The hard part is analyzing the results, and acting on them to improve the organization's security posture.

Train the workforce

Those of you who regularly read my articles are probably rolling your eyes at this point, given the frequency with which I have mentioned awareness training, including the information security magic bullet. It is sufficiently important, however, to bear repeating over and over. Train your workforce, and refresh them at least yearly. We can't expect them to follow good practices if they don't know what those are.

Make security a campaign

Most organizations have a community cause, like blood donation or Toys for Tots, that they support every year. These often involve posters, weekly progress updates, rallies, etc. We should do the same to foster employee security involvement. The marketing folks in most organizations could probably create an effective campaign in their sleep. Make it a priority for them to do this, and evolve the effort over time.

Reward good practices

When employees do the right thing, reward them. In some cases, material rewards are appropriate, but a reward can be something as simple as public praise. In the psychology world, this is referred to as positive reinforcement, something every parent would understand.

Bottom line -- follow the right steps, and your security culture will form on its own. The reward will be a workforce focused on keeping the organization safe.

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report