Building a Strong, Intentional and Sustainable Security Culture

Here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will "win out" over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture. But how do you achieve this to ultimately build a strong, intentional and sustainable security culture? There are four secrets to success.

1.Take stock of where you are and where you are going

Without a plan and a path, you are sure to get lost! The key to implementing secret #1 is to leverage a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework – one I recommend is the Michael Hyatt version– a bit more on the topic can also be found here. (SMARTER = Specific, Measurable, Actionable, Risky, Time-keyed, Exciting, Relevant.)

2. View security awareness through the lens of organizational culture

Organizational culture and security culture are not one in the same. However, they need to be closely knit.   

Organizational culture is not the sum of roles, processes and measurements; it is the sum of subconscious human behaviors that people repeat based on prior successes and collectively held beliefs. Similarly, security culture is not (just) related to "awareness" and "training"; it, too, is the sum of subconscious human behaviors that people repeat based on prior experiences and collectively held beliefs.

Culture is shared, learned and adaptive, but it can be influenced. It takes a group working collectivity and it begins with the leaders.

To impact change and behavior, you must be aware of, and work from within, the existing culture. Does your organization have a marketing organization that helps with internal communications? If so, understand how they leverage the communication methods, formats, and branding. It's so important that *your* communications speak with the established voice/tone of the company so that you aren't seen as un-connected and (worst of all) irrelevant. You also need to get an idea of where there divisional, departmental, and regional nuances. Work within the specific cultural frameworks within each of these segments. And, always be on the lookout for existing communication channels that you can plug-into (e.g. existing meetings, executive videos, etc.) so that you message is interwoven with the other company-centric messages.

3. Leverage behavior management principles to help shape good security hygiene

Let's start by recognizing that just because you're aware, doesn't mean that you care!  

Security awareness and security behavior are not the same thing. Your security awareness program shouldn't focus only on information delivery. There are plenty of things that people are aware of but may just not care about – we need to make people care. 

Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices.

The idea is that we need to create engaging experiences for users to drive specific behaviors. (Check out BJ Fogg's work for more on great examples of behavior model and habit creation).

An example of this would be simulated phishing platforms. These distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change. 

4. Be realistic about what is achievable in the short-term and optimistic about the long-term payoff

Be a realistic optimist within your organization. What can you impact today? Know your place and your scope of influence and remember that culture starts at the top.

Understand the foundation of your culture and then create a customized roadmap for security culture management. To do so, you must evaluate four areas: 

  • "How we make decisions" outlines the general leadership style and how this affects the outcomes of the organizational culture.
  • "How we engage" focuses on how people collaborate internally and with external stakeholders to deliver on their goals.
  • "How we measure" describes organizational performance metrics, and how they affect organizational achievements.
  • "How we work" defines the working style of teams, how solutions are created, and problems are solved, which affects organizational outcomes.

By understanding these four attributes of organizational culture, security leaders and corporate leaders can make informed choices when trying to change cultures and improve an organization's overall defense.  

Here is where the rubber meets the road. You've got all of the planning out of the way, created SMARTER goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it's time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained.

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world's most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island

via Infosec Island Latest Articles https://ift.tt/2sNUh5u
RSS Feed

If New feed item from http://www.infosecisland.com/rss.html, then send m

IFTTT

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more