Looking for security culture change, but you don’t know where to start? Amanda Price suggests five questions that will show you what your current security culture looks like.
I’ve been reading some great articles about key security questions recently. First there was 137 Security Questions Every Leader Should Ask by the Security Intelligence Staff at IBM Security, and then a follow-on article, 5 Key Questions About Your Security Posture by Mark Nunnikhoven, Vice President Cloud Research at Trend Micro. In both cases the questions were carefully designed to bring into sharp relief the issues, risks and business priorities which are essential for designing a successful security strategy.
Not only did I enjoy the incisiveness, rigour and energy of the questioning; I also appreciated the spirit of collaboration that Mark Nunnikhoven contributed, by pointing out that for a security question to become an effective security posture, each inquiry must take place within the context of the specific business it serves; security processes, viewed in isolation – he cautions – may fall short of offering a true evaluation of the security issues under observation.
At Layer 8 questions and inquiry are always our starting point whether we’re engaged in Security Culture diagnostics, or working with teams to ‘grow’ their Security Culture across the business. We learnt very early on that telling people what to do has little or no effect – beyond ticking the compliance box – whereas the energy and focus which comes with carefully worded questions tends to start the process of change even as the answer is being formulated.
We often hear the statement: “Security awareness needs to translate into security behaviours” which means nothing until it’s used as a basis for questions such as:
- What would good security behaviours look like in your business environment?
- How could you demonstrate, in your behaviour, your commitment to secure working practices?
- How are good security behaviours recognised, and rewarded?
In a spirit of collaboration, therefore, I would like to add to this thread of articles about questions, five which relate to the security culture operating in your business. Culture is the way we demonstrate what matters to us through what we say and do on a day-to-day basis. Culture defines people’s thoughts, values and interactions; it’s as essential as the air we breathe – and just as difficult to ‘see’ clearly.
Here are 5 questions which we have found helpful in making visible the current security culture of an organisation, as the starting point for creating the journey towards the culture you need to support your security strategy as a whole:
- What’s most important to employees in your business? What do they talk about most?
- How does ‘what’s most important’ impact on security practices?
- What gets rewarded in your organisation? Are secure behaviours recognised/ rewarded?
- What’s ‘the face’ people make – in meetings, in offices, over lunch – when the subject of security comes up? Is it ‘the face’ you want, and – if not – how could you change it?
- What opportunities are there for employees to demonstrate their commitment to secure work practices in your organisation?
Layer 8 offer rapid diagnostics and effective planning for the creation of a proactive security culture where each and every employee takes responsibility for their actions.