Security Culture Questions to Consider

Here are three basic questions that security leaders need to keep coming back to in order to assess enterprise security culture and ongoing cyber-risk.

by / April 7, 2019

Security and technology leaders around the world are becoming much more focused on the importance of improving their enterprise security culture as a vital component of overall risk management. The need to provide tools, training and other technology aids to staff is well-documented, but how can this be done in our fast-paced, ever-changing online world as cyberthreats evolve?

To deliver the ongoing promises of effective security awareness training for all employees, technical training for select professionals, or using stronger terms to rename targeted cyber training,  how can cybersecurity improvements be incorporated into an organization’s DNA?    

In a blog written last year for netwrix.com that offers several helpful tips, a security culture is define as “a healthy mix of knowledge and follow-through.”

Tim Ferriss shared his definition of security culture as: “what happens when people are left to their own devices.”

3 Questions on Security Culture

But before I offer you some basic questions to get started, here’s a small sampling (from just the past few weeks) of the many articles that pop up when you google the term “security culture.”   

All of these articles offer helpful tips and insights; however, these (and most other) articles rarely touch on the vital, yet basic, questions and analysis that is so central to security programs’ success.

Here are three basic questions, which may seem simple at first, but offer tremendous value. If the answer is “no” to these, think of strategies to drive that behavioral change.

1) Do your employees truly value security? How do you know?

In over 30 years in the security and technology industries, I have never known an employee or manager or contractor to raise their hand and say “I don’t care about security.” It just does not happen. But actions speak louder than words, and not just in the cybersecurity area. So what do you do to measure security engagement beyond sending surveys?

In a blog I wrote a few years back on the security culture topic, I closed with this quote from David Novak on the greatest challenge facing leaders today:

“Seven in 10 employees in the U.S. are not engaged. They're going to work and they can't wait to go home," he said. Novak said great companies create environments where everyone counts and is valued.

2) Why should they care? What motivates different staff?

I like this blog by Cisco which tackles the question: How do you tackle the mindset “I have nothing to hide, so I have nothing to protect?” Here’s an excerpt:

“Many people justify not having strong passwords with a “Who’s going to want to read my emails?” but ask them if they would give you their bank card and PIN and I doubt any of them would. It is not obvious to everyone that all data, and not only financial data, has value. It can be used for profit, but it can also be used to damage your business. Everything is connected.

It may help to offer your employees some examples that they can relate to at a personal level. For example, someone could collect personal information about them on social media and have enough to pass all security checks and make a big transfer out of their bank account. Or a troll could guess their Facebook password and take over their account, just to message obscenities to all their friends.

In the same way, in a corporate environment, hackers could use employees’ personal information to plot a spear phishing attack or a business email compromise; or a disgruntled employee or competitor could expose corporate emails just to embarrass a company in front of their customers.

People sometimes don’t care about security because they don’t see the bigger picture. You gain access to that one system that “doesn’t matter” and all of a sudden you found a way into the most valuable information a company holds. Once you manage to explain this logic, you will get more people interested. …”

I teach several courses on effective security awareness training all over the world, and I never cease to be amazed during the breakout discussions with the stories from different organizations. I have learned that various people have many different motivations — depending on a long list of factors ranging from their age to whether they are a parent to how long they have been with the organization. Here are a few examples of what can motivate behavior:

  1. Policy — “Boss (or CEO or Department head) says I should care.”
  2. Fear — Scary headlines, news stories, FUD, “CISO says I should care.”
  3. Career Progression — “HR Director says I should care.” Fear of being fired. Will it hold me back? Pay. Benefits.
  4. Compliance — “COO or auditors say I should care.”
  5. Family — Integrity — “Wife and kids are watching me at home.” Right thing to do. Loyalty to company. Set a good example.
  6. Past Experiences — “I’ve screwed up, seen an impactful breach, lost my identity or watched close friends who made mistakes and want to avoid those, if possible.”
  7. New Understanding — Read a lot. See the benefits and risks. Personal discipline.
  8. Intriguing Content — Games, fun, challenges, competitions.

3) Are you (personally) moving the security culture needle (in the right direction) now?

I always learn a lot from the writings and talks by John C. Maxwell, who says: “Leadership is a journey, not a destination.”

I encourage you to listen and/or read Maxwell’s “Ordinary to Extraordinary Series,” which offers very practical tips for leading your organization through all types of change. Here are some of the highlights from one session:   

— Keep learning, keep growing.

— What’s your plan for growth?

— Growth is not an automatic process.

  • What do you do after you know it all?
  • What are your potential learning moments today? Who will be my potential learning people? What am I learning that I need to learn more about today? Anticipate growth.
  • Where can I use this? When can I use it? Who needs it most?
  • The incompetent person doesn’t ruin an organization, they never get the chance. It is the successful person who stops growing, resting on previous success that hampers (clogs up) an organization.

I would take Maxwell's point further and apply many of his points on growing as a leader to leading security culture improvements. Yes — building a successful security culture is also a journey, not a destination.

Many people eventually get to a point when they claim to "already know all of this" about cybersecurity practices or good online hygiene or related topics. However, the reality is that they can learn much more, and often need to be challenged further with new material. Most of all, we all need to practice what we know in various circumstances and situations. If an employee is truly a well-informed expert, who else can they share their knowledge with throughout the business or technical side of the organization?  

Closing Thoughts

We always have leaders, followers, laggards in every organization. This means we will all have unique homework assignments in different areas.  

But what concerns me most about this security culture change topic is the number of CxOs who tell me “we’ve already done that.” (My thoughts: REALLY?) I don’t think these leaders truly understand the meaning (and impact) of constant change and ongoing positive security improvements through staff.

Also, some cyberleaders tell me all the right things regarding culture change, but when I talk to their counterparts (public- or private-sector business leaders), they tell me a very different security story about staff security buy-in.   

Bottom line: Security culture change is not a “one-and-done” activity. All of our organizations must be constantly improving, or we will certainly be an easier target for online criminals.

Platforms & Programs