Listening to Ira Winkler’s presentation at this year’s Irisscon conference, one of his comments struck a chord. “The right culture is that you don’t need a good security awareness programme because a new employee sees how everyone behaves, and they behave exactly like them,” he said.
By way of example, he recalled an incident from his time at the US National Security Agency. He had forgotten to wear his name badge, and a colleague stopped him and told him off for not doing so. Moral of the story: he never left his badge at home again.
Ira Winkler’s point was that the organisation was so steeped in positive security culture that workers didn’t need periodic reminders through awareness programmes. The same isn’t necessarily true of many other companies or industries. What happens if the new employee copies someone whose security ‘culture’ and habits aren’t ideal? It got me thinking about what security culture is, how you go about starting one, and then maintaining it.
When it comes to everyone in an organisation ‘doing security’ already, I’d argue that the National Security Agency has a little bit of a head start. (The clue’s in the name.) Expectations on good security behaviour would be high.
As a rule, company policies tell us “do good stuff/don’t do bad stuff”. Quite often, though, we need to define what we mean by good and bad.
How granular and descriptive do those policies need to be? Forgive me for sounding like every lawyer you’ve ever met, but “it depends” (I wonder if I can copyright that phrase? 😊). If you’re working in a bank, or for an organisation that has security in its title, you have a particular set of expectations. If you’re working in a manufacturing or pharma organisation your priorities may be different, and more closely relates to whatever your product is and whatever you’re trying to protect. For a security company, having its integrity damaged could have serious consequences. For another company, a security breach might be disruptive but not fatal. The policies of either organisation and expectations on behaviour, are likely to differ on that basis.
That being said, the organisation’s maturity should never be a barrier to carrying out security initiatives. You don’t need a perfect solution (or big budget) before talking to people. For example, we often think IT people know security, but while their jargon may be similar, we shouldn’t assume knowledge on anyone’s part. By that I don’t just mean knowing the subject, but also knowing the right thing to do in a given situation. IT staff don’t necessarily read the same trade stories and visit the same industry websites that security professionals or data privacy experts do, so they don’t always understand the consequences.
So part of the trick is to tailor the message to suit the audience. If a security practitioner is presenting to the board, the message has got to be brief and punchy. That generally means two slides at most and focusing strongly on cost and measurement to demonstrate a Return On Investment. When talking to IT staff, or to shop-floor workers, you might need a slightly different message in order to connect with their roles. That might call for fresh phrases or images rather than ones you’ve used for other groups.
No matter who’s listening, you should keep the message simple. That way, you can start to move away from security awareness towards real security engagement. It’s all about making the messages personal so people ‘get it’ and it’s relevant to them. The more effectively you can do this, the sooner you can progress to the next stage, which is changing behaviour.
This comes back to knowing your audience. The message for IT professionals might be: ‘here are examples of security controls you need to apply’. If a process is failing, maybe it needs tighter controls in place. But it’s worth doing some extra research to find out who really owns the process. Let’s take the common example of what happens to an employee’s access privileges when they leave the organisation. You might automatically think it’s the IT department’s responsibility to revoke their permissions, but it’s HR’s responsibility to tell IT that Bob or Sue don’t work here anymore. In the case of contractors, it might be the business line manager who’s responsible.
In an ideal world, you want people to do the right thing because it’s the right thing to do. That’s the kind of culture Ira Winkler talked about. But to get to a stage where the good behaviour you want happens automatically, sometimes you need to enforce consequences for the behaviour you don’t want. Getting to that point will involve a balancing act involving a carrot and a stick. Rewarding good behaviour will promote a positive culture, but if you’re starting from a place of low security awareness or culture, you may need deterrents to discourage the behaviour you don’t want.
But let’s focus on the positives and encourage and promote “good”.