What is security culture? There’s lots of talk about how important security culture is to a security program, but security culture is a nebulous concept to attempt to define — and harder still to measure. It’s also, apparently, difficult to achieve: a survey from the IT governance professional’s organization ISACA found that nine in ten enterprises said they have a gap between the security culture they want to have and the actual culture they have in place.
That survey also found that just 5% of employees think their organization’s security culture is as advanced as it needs to be to protect their business from internal and external threats.
So, again, what is security culture? Does security culture mean everyone in an organization thinks security first in everything that they do? That everyone is an authority on security? Of course not. But it does mean security impact of their actions are taken into consideration and that, broadly speaking, everyone realizes they have a role in keeping the information within their company or organization secure.
Getting security culture right helps to create and maintain a security conscious staff and can be an important part of maintaining long term security. How do you know if your organization has a good security culture? Over the years I’ve spoken with quite a few organizations about their culture and what indicates to them what a good security culture is.
Here are a few of the more important indicators that were mentioned repeatedly:
Employees will think twice before clicking on a link. Here’s a reliable indicator: an organization with a strong information security culture will have fewer employees who click on links within phishing emails. This is something accomplished through regular security awareness training and security conscientious building. While it’s certainly not the only indicator that matters, it is a good indicator how security conscious staff are. It also doesn’t mean the staff is immune to phishing attacks. No single person is, so certainly no population of people are immune. It means simply that staff is generally more aware and conscientious.
Will share and report suspicious emails. More than being careful when it comes to phishing attacks, employees within an organization with a strong security culture will actively participate in protecting the organization. They’ll report suspicious emails and phishing attacks when they see them, and the security team will encourage such collaboration.
They won’t go rogue. The better the security culture the less likely staff, contractors, executives, and others will work to sidestep security policy. For instance, they’ll be less likely to copy data to unsanctioned cloud services or removeable storage devices.
Will ask security for help when needed. If they want to use a new product or service, they’ll be more inclined to run it by IT or the security team. This indictor runs both ways and is generally the result of the security team doing a great job of not being the department of “No,” as the old saying goes, and continuously helping to build secure solutions and ways staff can use the tools and technology they want to use in a secure way.
Security is invited early on into projects. When building new applications and services, the development teams will seek to have security part of the process early, during the design phase, depending on the project. This should be part of the business process, but it still isn’t too often as security teams find themselves trying to mitigate risk after systems are already designed and built. Organizations with strong security cultures don’t find themselves in that situation.
Business leadership has a decent understanding of risk. One of the strongest indications of a healthy security culture is strong executive leadership support. In fact, it’s likely impossible to attain and maintain a good security culture without having executives that support the efforts to get there. This is essential not only to attain the budget for adequate training and security team be in place, but for actually setting the security tone throughout the organization.
I’m sure there are many other indicators that point to an organization having a strong security culture, and I’d be thrilled to hear your ideas.
However, it appears that many organizations aren’t dedicated to creating and maintaining a strong security culture. Consider some the study from the ISACA found that 42% of organizations do not have an outlined cybersecurity culture management plan or policy in place. The survey is from late 2018, but I see little reason to believe this situation has changed since then. Hopefully, in the years ahead, as awareness of security breaches (many of which are totally avoidable) and their impact continue to grow, this will change.