Managing change and improving security culture should start with understanding the organisation, the people in it and what drives them.
In the case of cyber security, this begins with understanding why current security practices might not be effective and why people often find workarounds rather than follow security processes.
In The Psychology of Information Security, I discuss common reasons why people tend not to comply with security policies: they often don’t see why they should, it’s too demanding or they simply can’t.
When it comes to building security culture, leadership support plays a significant role. The tone must be set from the top: it’s difficult to take an initiative seriously if executives in the company are not leading by example.
However, a lot of boards don’t invite or listen to security professionals. They have no confidence in their ability to understand the company’s business, to articulate how security aligns with it or communicate beyond technical jargon. Security may not always be the most important thing for your co-workers because they specialise in something else.
Therefore, people should be in the centre of your security programme. Designing controls around people’s day-to-day tasks is a step in the right direction.
Security professionals should adopt the “we are here to help you do this securely” attitude rather than being perceived as creating obstacles for people to do their jobs.
Improving the culture in your organisation won’t happen overnight. People already know they should eat their greens and avoid junk food. Yet another reminder is unlikely to make them comply. But that’s how most of the security awareness campaigns work – they reiterate the message which does not necessarily lead to behavioural change.
A change in behaviour precedes a change in attitude. It’s similar to exercise – start working out first and your self perception gradually changes to someone who exercises regularly, not the other way around. It has to be consistent, become a habit.
It may be an obvious point but you need to start with one thing and make it a habit and then progressively build on it rather than trying to boil the ocean.
The famous Law of Raspberry Jam also plays a role here: the wider you spread your efforts, the thinner they get at every given point. Concentration and focus is key.
I previously wrote about strong safety culture in some companies, particularly in the Oil and Gas industry. It starts on oil rigs and then eventually makes its way into corporate offices too; you can build on it to incorporate cyber security.
Many companies in this sector adopt a ‘zero injuries’ goal where they strive towards minimising safety incidents. How about a goal of ‘zero security breaches’ to compliment that?
This doesn’t mean we prevent all breaches but we detect, report and act on them. We learn from them and address the root causes to stop them from happening in the future. Just like with safety, every individual in the company has a responsibility and a role to play.
Process and technology is important but it’s the people that should be your focus. At the end of the day, the culture is often defined as what people do when no one is looking. Let’s help them do the right thing.
Just like exercising, be consistent and you will see the results.