With the continued increase of threats in the environment, attacks on organizations, and publicized data breaches, more and more organizations are focusing on implementing security awareness practices. For many, this effort revolves around training. However, that is only one piece of the puzzle. The implementation of secure practices relies on a shared understanding of the threats the organization is facing and is dependent on the people within that system to maintain a solid security posture.
A well-defined and well-managed organization culture, closely tied to an effective business strategy, can mean the difference between success and failure. But, what does culture really consist of and can it be changed? The answer to the latter question is yes – however, culture is usually deeply embedded in the organization and change can be challenging. But it isn’t impossible! It is important to first assess all three layers of the current culture to understand how and where changes might be implemented.
The first layer of culture is very easy to see and consists of the artifacts of the organization. These are the visible structures and processes and observable behaviors. For example, this could be your published list of values, company logos/branding, symbols, colors, and slogans. The second layer is espoused values and beliefs: the ideologies, goals, and aspirations that people talk about. They are validated by the shared experiences of members of the organization and may not be consistent with “published values.” Finally, the deepest layer is the basic underlying assumptions. These are the unconscious, taken for granted, beliefs and values that determine perceptions and behaviors. This is one of the most difficult layers to assess and change.
Elements of a Security Culture
It should first be noted that the leadership of the organization needs to support and promote a security culture. It starts at the top. Leaders need to ensure the strategy and goals are in alignment and communicated, appropriate structures and business processes are in place, and outcomes and desired behaviors are rewarded.
It is important that everyone in the organization realizes and buys into the fact that security belongs to everyone. Not IT. Not the CEO. Not the CISO. Everyone. This can be reinforced through constant communication and creation of security communities with diverse membership from all over the organization. It is important to reward and recognize those in the organization who do the right thing rather than just punishing and making examples of those who do not. Positive recognition begins to create a positive spiral and foster an environment where security practices are seen as beneficial rather than just another task. Continual learning and improvement are important and these activities should be made fun and engaging and address multiple learning styles.
However, the elements of culture are unique for each business and different approaches work better in certain situations. Culture change can be a slow and difficult process, but there are many methodologies that can be used to increase the odds of transformational success. Email me at Rachael.firstname.lastname@example.org to connect and learn more!