Let’s begin by looking at what culture is and why it matters. Culture is tacit and elusive in its very nature. It is often unspoken, based on behaviours, hidden in the thoughts and minds of people. We often see it embedded in the organisation’s framework: in its vision, mission and values, which can also describe the attitudes it has towards various things. Such as, does it value innovation over tradition? Does it focus on people or processes? Does it embrace change? Or, will it fight it every step of the way?
Observable culture is the way an organisation welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors.
Culture is also the way you go about your day-to-day work when no one is watching. This was highlighted when we moved to a remote working situation as a result of COVID-19 and witnessed an uptick in cyber incidents and successful breaches.
We are all familiar with the term ‘toxic culture.’ This describes an organisation that is not a nice place to work. People are mean, no one really wants to come to work, bad behaviour gets rewarded or ignored and the general perception is not at all positive.
What is a Security Culture?
This depends on who you ask. We define security culture as the ideas, customs, and social behaviors of a group that influence its security. Organisational leaders can use the model to visualize their current level of security culture and plan the steps required to progress from one level to another.
What is good security culture?
A good security culture is where people make the right decisions when it comes to security, are aware of the threat landscape, know what red flags to be on the lookout for, report all suspicious activity and understand their role in cybersecurity as the human endpoint.
A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. Let’s look at the benefits of having a culture of security versus not having one.
The following situations are from the point of view of the human - your users - and represent what is going on in their minds when they're presented with a security-based situation.
Situation 1 – A phishing email (malicious email) arrives in an inbox from a bank with multiple grammatical errors, a link that is clearly suspicious, multiple font sizes, unformatted and the sender’s email address is clearly fake.
|
The human working at an organisation WITHOUT a security culture |
The human working at an organisation WITH a security culture |
|
“This email looks very suspicious, I don’t even bank with them. I’ll ignore it and delete it later.” |
“This email looks very suspicious. I’ll report it to the cyber team as they will want to investigate it further.” |
|
Technically there is nothing wrong with this response. However, ignoring a suspicious email may result in someone else in the organisation engaging with it. |
This response demonstrates a security culture as the simple act of reporting a suspicious email provides the cyber team an opportunity to investigate it and remove all instances of it in the organisation’s systems to avoid a potential incident. |
Situation 2 – A USB device found on the floor in one of your lifts with ‘Payroll 2022’ written on it.
|
The human working at an organisation WITHOUT a security culture |
The human working at an organisation WITH a security culture |
|
“LOL – this is going to be good. I’ll take it back to my desk, plug it in and show the guys.” |
“As much as I want to look at this, I am going to take it to the cyber team as it could be a trap.” |
|
Curiosity will always get the better of us. Especially when it comes to private or confidential information. Plugging in a random USB has the potential to cause a cyber incident. |
Again, curiosity is there. Because this person understands the potential risks of plugging in a random USB they will make the right decision and hand it in to the cyber team to investigate. |
While these situations seem second nature to those of us who live and breathe information security and cybersecurity, they are not second nature to everyone else. I can promise you that this is exactly what your people are thinking and doing every single day.
You have security culture at your organisation, but is it the one you want?
It’s true. Every organisation already has a security culture whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen.
To understand the security culture you have today, you need to ask some questions, make some observations and take the time to document what you discover.
Start by asking: Do your people understand the impact to your organisation if a breach were to happen? Are they aware of the cyber threat landscape? Do they lock their devices when they step away from them in all situations? Do they follow existing policies (internet usage, clean desk, reporting incidents, etc.)? How do they respond to phishing and other social engineering? Do they consistently create insecure workarounds (use a personal Dropbox or unsecured personal devices at work, etc.)?
Once you have an idea of where you are, it's time to consider, discuss and define what your organization's security culture should be. Ask, does my organisation care about security? Which areas of the business are least and most security-minded? Which employees are most risk-averse? How strong or weak is our security culture? In what part of our organisation do we need to improve security culture? And, how effective is our security culture programme?
Once those questions are answered, it will give you a starting point to implement awareness, education and training across your organisation.
Now back to the initial question: What happens to an organisation when it has no security culture? Let’s flip it to this: What happens to an organisation when it has the security culture you want?
Building a strong and positive security culture as defined by you is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organisation’s risk and increase resilience.
This blog post was originally published by World Economic Forum.
The data-driven and evidence-based Security Culture Maturity Model, developed by KnowBe4 Research, is 
