Security culture remains an elusive amorphous ‘thing’ that we all aspire to improve but don’t really understand why or how. This is not unusual in organisations and institutions who try to understand why the interactions and communication between the people who make the goals of the group happen take on a particular ‘flavour’ and why some organisation or institutions embody flavours that we deem to be good or bad depending on our own moral compass, professional needs and perspective. Simon Wardley writes eloquently on what culture in an organisation may mean.
I have often been frustrated or unconvinced by vendors and consultancies who offer to improve the security culture of organisations I am responsible for security for. It seems that shaming staff (phishing tests) or boring staff (presentations, quizzes and videos) or driving competition between staff (gamification) are the only answers available and few of these offer any sort of measurement of their effects, being some sort of magic that improves things in ways we cannot see.
Culture is a combination of things but is ultimately embedded in the decisions that staff and partners make in delivering an organisation’s goals. Wishing that poor decisions didn’t happen is no way to take responsibility for outcomes, and attempting to measure a culture by inferred intentions is no substitute for measuring a culture by actions and visible behaviour.
With this in mind some years ago I worked with Kaplan to co-develop a definition of a deliberate security culture I wanted to engender rather than rely on the magic of other approaches in developing and shaping the security folkways that had accreted over time.
The definition of culture we created was a series of aspects of competencies in decision-making, where as the security leader for the organisation I was responsible for defining what good looked like. I accepted that in different parts of the organisation, it was a global business, the forms of behaviour may change but ultimately there were decision outcomes where I needed to achieve consistency. These were:
Business Focus
Business Focus encompasses the balance between flexibility, agility and business-enabling behaviours with known effective security controls, the understanding of what is critical to the business, the awareness of reasonable compensating controls that may not be the best pure security answer and the ability to challenge policy and standards where they harm the business more than they protect it.
Cyber Risk Awareness & Assessment
Cyber risk awareness and assessment encompasses an awareness of the threat environment and the responses available to the challenges it presents, the proactive appreciation of threats. The appreciation of cyber specialists needs and the ability to assess cyber needs throughout the lifecycles of a product or service.
Security Policy & Best Practice
Security Policy & Best Practice encompasses the knowledge of the organisation’s policy, an understanding of the security roles and responsibilities in the organisation. The proactive reporting of areas of concern and the support for appropriate investment for security.
Cyber Security Advocacy
Cyber security advocacy encompasses behaviours that promote a proactive, values-based cyber culture, working collaboratively on cyber issues. It includes challenging colleagues when poor behaviour is evident and ensuring partners and contractors meet the organisation’s requirements and expectations.
Personal Practice
Personal practice encompasses taking personal responsibility to ensure cyber compliance, applying cyber practices inside and outside the workplace. It also encompasses adopting resilient and balanced decision-making as well as applying basic security hygiene at work.
This was my preferred security culture and competencies, yours will likely differ but I think a good question to ask is “What does the deliberate security culture in my organisation look like?”. If you don’t know that then all you are doing is surfing the wave of security folkways and hoping the magic gives you the outcomes you are hoping for.
Our first approach was to measure the current competencies against these criteria. We created a series of true/false statements and a set of scenario-based questions with multiple answers, none of which were the right answer. With the senior security leadership team we set the balance of each we were hoping to see (the target) but also as a group scored the variety of answers on their delivery against each competency.
This allowed us to test in real-word scenarios, such as:
The CEO is in a Chinese hotel, has smashed their mobile phone screen and has asked if they can go to a local phone shop to have it replaced. They leave in 24 hours. What should we do:
- Tell them not to fix their phone and sort it out when they return.
- Tell another member of local staff to give the CEO their phone and username and password.
- Tell them to fix their phone but disable access to the corporate network.
- Tell them to fix their phone and do nothing else until they return to the office.
We chose our preferred answer as a leadership team and scored all the answers on each competency. We also asked staff to estimate how confident they were in their decision using a slider from 0% to 100%.
This meant we not only had a measure of different businesses and different geographies current security folkways but we could start thinking about where staff were ‘confidently wrong’ as an area to address immediately but also areas where staff displayed ‘unconfident competence’ where some reinforcement may increase their confidence in doing the right thing. We kept the survey anonymous but were able to identify seniority and geography so could look for these sorts of patterns in ways that then allowed us to target interventions to bring the security folkways closer to the deliberate culture we wanted.
Overall we found that the organisation we were in, a highly regulated conservative business, was surprisingly strong on personal practice and security policy but weak on cyber risk awareness and business focus. Again this allowed us to think about tailoring our communications, our policies and our training to emphasise these areas.
This was very useful for me and I think serves as a model for other security leadership teams thinking about moving towards a deliberate security culture.
Note: Business Focus and Cyber Risk Awareness & Assessment can be considered opposing forces, the former pushing towards efficiency the latter pushing towards security. I wrote a little about this tension here.
I was reminded by Mario Platt of Rasmussen’s model of accidents in safety, here there are pressures pushing towards efficiency (business focus), towards safety (cyber risk awareness & assessment) and towards reduced effort (the counter to personal practice and cyber advocacy).