A common complaint of CISOs is that employees know what to do but they just don’t do it
Awareness of rules and best practice fails to produce effective follow-through when it comes to security behaviours, whether it’s exercising caution around emails, locking screens when leaving computers unattended, or shredding documents before they go to recycling.
People aren’t always the problem…
It’s easy to state the problems the ‘human factor’ presents for business but we need to understand the context which perpetuates non-compliant behaviours. That context is always cultural.
…they can be the solution, if there’s a security culture supporting them
It’s possible to have the impression of compliance but a reality that falls far short of providing an effective response to risks faced by the business. In other words, people know what to do, they show that they know what to do in annual tests, but awareness isn’t translating into behaviours, corners are being cut and people are bypassing secure procedures. Worse, they might talk of those procedures as being “a pain”, “a waste of time”, “a barrier to getting the job done.” Altogether this is a detrimental ‘shadow’ security culture that is working counter to compliance.
We might view compliance as being the basics and doing what you’re told – it’s reactive. Security culture change is bigger, it’s holistic and much more dynamic. Colleagues engage their values and they interact with each other. They understand the risks and take responsibility and initiative – it’s proactive.
Create a security culture people take pride in being a part of
In the next webinar in our People in Security series, we’re looking at compliance, culture and how to develop both in order to mitigate people risks.
Details of the webinar
TITLE: Minimise Risk – using people to prove compliance
HOSTS: Sarah Janes (Managing Director) and Amanda Price (Creative Director – Operations)
WHEN: Thurs 8th March 2018 at 11.00am-11.30am