The discourse around security culture has been inspiring. People responsible for technology and increasingly talking about people and culture and how important it is to build a security culture. No one could ever criticise this approach and it is fundamental to creating a human firewall in the face of threat.
However, one must be relatively realistic as to what is achievable given the urgent need to protect our organisations from increasing cyber-attacks. In the same way as we all seek to be environmentally friendly and do what we can to support a thriving world that humans can inhabit for many thousands of years to come, we need to think strategically as how we achieve that with some fundamental KPIs that are specially designed to make definitive progress. Security culture is something that is difficult to measure, perhaps even more so than the environment. We at least can rely on life sciences to inform us on CO2 emissions and average seasonal temperatures, but how do we know if we are achieving an optimum security culture? What is security culture anyway?
Culture is defined differently dependent on the school of thought addressing approaching the topic; a social psychologist will have a different view from a philosopher, and similarly a behavioural scientist will have a different view from a sociologist. Of course, there is no right or wrong and one of the wonderful things about human beings is our complexity and ability to creatively find solutions to problems in a way robots struggle. But how do we measure culture and create KPIs when we can’t all agree what it is?
Even if we are to agree that security culture is a given collection of constructs that can be measured in a unified way, we must consider how long it reasonably takes to change a security culture. On average it takes eight years to change a culture. Many of us know this if we have moved to a new country. Even after five years people typically still feel more comfortable speaking their own language, celebrating the traditions of their childhood, eating those home cooked foods their parents used to make.
We may choose to measure security culture based on behaviours, how secure are employees’ passwords, are they updating their PCs etc. but this is complex as their behaviour may have very little to do with their attitudes towards security and there may be some business barriers to adopting those behaviours such as the tools being problematic and so workarounds are adopted. How can a security culture assessment tell the difference? Perhaps if one measures behaviour, attitudes and explore barriers then we will have it all covered?
The fundamental problem with this approach is the major assumption that people are motivated towards creating a security culture, when unfortunately, this is often not the case. It takes environmentally friendly people to create a healthy environment; it takes a security conscious people to create a secure environment and human firewall. Of course, awareness is an extremely important facet of creating a security culture but there are those who will be reluctant or even resistant, to change, and not least towards a security focused mindset.
So, the question is not what is security culture but what are the elements we need to create a long-lasting security culture? Recruiting employees who are security conscious is critical for creating a security culture and if your recruitment and selection programme is not aligned to your security culture and insider risk programmes then don’t be surprised if your security culture fails to improve. Hiring employees who are inherently committed, loyal and trustworthy, as well as intrinsically motivated towards meeting organisational goals and objectives, including participating and helping to create a security culture, is not just a nice to have but should be as important as ability to complete the tasks of the job. After all, aren’t we expecting employees to complete security-related tasks as part of their roles?