By now, you’ll hopefully have started noticing a few recurring themes on this blog, and one of them is the notion of security as culture. Sometimes that’s the high-level thinking about what security looks like for our organisations, or it can also be specific to the type of training that’s provided to staff to enhance and strengthen security posture.
In this post, I’d like to elaborate on the latter point by talking about managing a security framework. It’s possible to achieve practical security compliance cost-effectively provided the necessary cultural changes become embedded.
When we talk about culture change, the three aspects to consider are:
- Nature of change: identify the people, behaviours and practices that require a change of cultural nature in implementing an IT security programme
- Resistance aspects and enablers: what are some of the common ways in which people push back against change, and how can we avoid them to enable change to happen
- Change strategies: there are several options that are commonly used to effect culture change – I believe empowerment strategies driven by business interest are some of the most valuable in this context.
Some goals can’t be attained without a systematic approach toward culture change, driven by the business. It has to empower users, who as a result of the initiative, can see a clear and constant connection between the change in behaviour and business success.
In a security context, that means they need to see a positive outcome that results from them following processes and being more security aware. Metrics and qualitative feedback can be put to use here to bring this message home. The empowerment process should focus on experiencing and skills development, which fosters a positive attitude towards security or compliance-driven behaviour.
A good security programme needs to encompass people, process and technology, and the initiative must have sponsorship from the highest levels of the business. Education is the key to achieving this, and the education programmes should apply to every single person in the organisation from the C-suite, to the board, right down to your reception area. These programmes should be designed to ensure your people at all levels understand not just what you’re trying to achieve but why. (This also reinforces the point I made earlier, about fostering a clear link in people’s minds between business success and positive security behaviour.)
Other aspects of a good security programme include self-governed pre-assessments, and a security blueprint that I like to divide into three sections:
- 1-year tactical program for quick wins and to address immediate critical vulnerabilities
- 3-year strategic security and compliance plan
- 5-year aspirational security and compliance plan that includes focus on new technologies and upcoming standards and regulations.
Continuous oversight is another critical aspect of adopting a more security-aware culture. This is the time to develop a remediation plan that covers policies and procedures, technical security solutions, network and application security, and specialised skills transfer. I believe that annual certifications to standards such as PCI-DSS are a useful benchmark because it’s a regular measure for the strength of your security culture.
One of the most effective ways to treat security programs is to see them as an opportunity to alter and improve your culture, and to frame the challenge in those terms. If your security and compliance initiatives lack this kind of integrated approach, any attempts at change will be costly and ineffective. To adapt a phrase that’s been attributed to the management guru Peter Drucker, ‘culture eats security for breakfast’.
But the converse of that also holds true: when a strong security culture becomes part of your organization’s DNA through ongoing education, then it becomes easier to adapt to new and evolving threats, and the regulations that help us to guard against those risks.
I’ll be speaking about this topic at the ISACA Ireland chapter conference in Dublin on 11 November. I hope you’ll join me.