We spoke to Kai Roer, an award-winning author and CEO & Co-Founder of CLTRe, about the concept of IT security culture and why organisations should care about its impact.
1. What is the difference between security culture and security awareness?
Security Awareness is based on the flawed (and debunked) Rational Economic Theory, stating that if a person knows which choice is the right one to make, that person will always make that choice. Awareness training focuses on building that knowledge, so that people know what to do, assuming that they will then always make the right choice.
Security culture focuses on a broader scope: the ideas, customs and social behaviours of a group that influences this group’s security. Whereas awareness can be considered a part of the ideas, culture is much more than just ideas (which may comprise knowledge, thoughts and much more). Personally, I find social behaviours to be key - there is a lot of research supporting the idea that we humans are highly influenced by the people around them, which means we can use social influence and social belonging to enhance the security culture of organisations.
2. What are the benefits of security culture?
First, security culture is not a binary where you have it or not - every group of people has a security culture. The question is whether or not it is a good culture. Benefits of good security cultures over bad security cultures may be exemplified by the Bangladesh bank heist. A security culture existed, but because of the management structure, culture and style, failure to invest in proper security, poor understanding of cyber risk, disregard of the need for logical controls, and many other elements that together formed that bank's security culture, the security culture was very poor. We saw what happened next - a successful cyber heist, and the access to the global banking system SWIFT, opening global banking up to more heists and other sorts of not-so-fun stuff.
With a good security culture, the Bangladesh bank would have had proper security controls in place throughout the organisation. A good security culture would have made it much harder (but not impossible) to successfully launch the attack.
3. How do we measure security culture?
Measuring security culture must start at the right place - with the culture, not the security. Security is just one property of culture. If we accept that fact, we quickly realise that measuring culture must be done by those people who understand culture, namely social scientists. I have worked with European and US-based research institutions and universities to apply social sciences to measure security culture, using assessments, observations, experimentation and similar methods and techniques.
Measuring culture is not about counting the number of participants attending or completing a particular training activity. Measuring culture is about measuring the change in culture (ideas, customs and social behaviours) over time, to see how it changes, what activities influence it, and how we can tune activities to our needs. We need to focus on the outcome, not just the vanity metrics.
4. Why should organisations care about security culture?
Organisations should care about security culture because culture matters. As Peter Drucker once put it “culture eats strategy for breakfast”. In other words, you can have the best made plans, but failing to recognise people's needs for structure and belonging and how groups influence behaviours will make even the best-laid plans fail.
Security culture, being a subset of the organisational culture, should be on the board-level agenda just like any other cultural issues, because it directly impacts company-wide risk, thus directly influencing profit and loss. Just think about the Bangladesh case above.
5. How do organisations improve security culture?
Since security culture focuses on a much broader scope, we can apply different means to build and improve the culture. Where awareness training is, well, training, security culture campaigns can incorporate a wide number of activities - from training and similar awareness content, to policy changes, to technology changes, to facilitating changes in group dynamics. The key to successfully transforming security cultures is to play on several strings at the same time.
A large number of organisations worldwide use the free and open Security Culture Framework to organise the work of building culture. Around the framework, a community has grown, with local user groups and even an annual conference - the Security Culture Conference.
6. How can a negative or weak security culture affect an organisation and its employees?
The Bangladesh case is only one of many examples of how a weak security culture affects an organisation. For the employees, a weak security culture will affect how they do their work, and how they treat company information. Moreover, for employees, a weak security culture means that they do not have any way of learning and improving, nor do they have any opportunity to report incidents, and handle them properly.
Again, recall the Bangladesh case - the choice of not using firewalls is a direct result of a poor security culture on the organisational part, whereas it is possible that some employees in the ICT department tried to reason with the management to be allowed the funding of investing in firewalls. Or, worse, if the ICT-department did not have the competence to understand the needs for a firewall themselves, that is a clear indicator of the organisations failure to understand the competence requirements.
7. How should companies encourage best security culture practices in their employees? Should it also be the employee’s responsibility to maintain positive security culture?
We see that the organisations applying the principles of the Security Culture Framework are able to transform their security culture by involving the organisation, engaging with the employees and measuring their progress. The ”how” is up to each organisation - an approach that may work very well in one industry or company may wreak havoc on another. Thus, it must be up to each organisation to choose the appropriate tactics to encourage best practice. What we find, however, is that positive enforcement, clear and concise messaging, and measuring the results in changed behaviours often creates success.
Employees have responsibilities of course. Following the policies of their employer is one of those, and adapting to the cultural requirements is another. What we see is that more often than not, the employees themselves are not the culprit. The challenge resides in how the organisation chooses to enforce their policies, train their employees and incentivise the behaviours. I have seen many security culture programmes fail because of a stubborn security officer believing he has all the answers, pushing them on to the employees. Instead, the security culture programme should make an effort to understand the security needs of the employee, and then cater for those needs.
8. Are there any particular industries that you think need a security culture reality check?
It is very tempting to say bank and finance, considering the latest events with SWIFT and others. However, I think we all need a security culture reality check - it is easy to point fingers, especially when we instead should be taking a closer look at our own practices. What I will say, is that those organisations where their security and risk management departments understand that they are there to support the organisation, and not the other way around, are more likely to be successful in building and improving good security culture.
Those who still consider themselves the gatekeepers of innovation (putting the “No” in innovation), are, in my opinion, exactly those security officers who need to take a step away from what they are doing, and instead start talking with and learning about their organisation and their employees.
Only when you take the time to really understand the business, can you start protecting it in a way that makes sense.
Image source: Shutterstock/m00osfoto