Documentation
Support
In this article
What is security culture?Does a strong security culture always help the business?How do we shape security culture?How are security cultures really created?How to make real changesThe bottom lineBut I don't know where to start!
Home
Deep Dives

Growing positive security cultures

Edited

Security culture, and how to improve it, is a hot topic for many organizations. This is a good thing, because - I think we can all agree - healthy and positive security cultures actively contribute to supporting and enabling business. Poor security cultures can undermine the efforts of otherwise diligent staff.

The subject may be high profile at the moment but the fact remains: many employees across different kinds of companies don't seem to feel they are part of positive workplace security cultures at the moment. Why is that, and what can we do about it?

What is security culture?

Well, there is no single definition that works for everyone, in all circumstances (and that's ok). For now, we're considering how non-security specialists - you know, Normal People - tend to think about security culture. Ask Normal People what security culture means to them, and many will say that it's about the security decisions people make at work.

Imagine a situation where people:

  • always remember the things they are supposed to do for security,

  • always do those things, at the right times and in the right circumstances, and

  • prioritize doing things in secure ways when needed,

  • Many people would call that a 'strong security culture'.

Conversely, when people frequently skip vital security tasks, take risks and cut corners to get the job done, we have what is often called a 'poor security culture.'

Does a strong security culture always help the business?

Good question. From the list above, you might think that the stronger your security culture is, the stronger your business is. This is true - but only up to a point.

  • If people used all their brain power remembering things they are supposed to do for security, how would they do their actual jobs?

  • If they used all their time doing security related things, when would they do their actual jobs?

  • If they always prioritized doing things in secure ways, even when that stopped them doing their jobs...well, they couldn't do their actual jobs.

In business, it's crucial to balance the tensions between doing the job securely, and doing it at all.

How do we shape security culture?

In deciding what we think security culture is, most of us don't look far below the surface. We consider our own security knowledge and skills, our attitudes and our decisions. We examine our behavior, and our relationships with others. We look at what others say and do, and from that we try and infer their thoughts (this is fraught with peril, by the way).

When thinking about how to change organizational security cultures, it's common for many of us to focus on these same superficial factors. Mostly we seek to increase knowledge, and shape attitudes and behavior, by applying a fairly standard set of top-level, user-facing interventions. These fall under three broad headings: Awareness, Education and Training.

This top-level focus is a mistake. It’s looking only ‘skin deep’. It's a bit like a doctor trying to cure a fever with paracetamol, but missing the patient’s gangrenous leg, the actual source of infection and fever.

Just like the physician in our example, if we want to create a healthy, positive security culture, we first need to take a step back. We need to look at the systemic factors underlying the things people do day-to-day.

We also need to recognize that just as the doctor doesn't expect a patient to have advanced medical knowledge, as security professionals we can't expect everyone we meet to know everything we know about security. We have to meet them on their ground, and find solutions that help them in the ways they live their everyday lives.

If we don't do these things, superficial behavior-change initiatives cannot lead to long-lasting, positive cultural change.

How are security cultures really created?

Organizational security culture is intertwined with general organizational culture. This is shaped by messages sent out – at all levels, consciously and unconsciously - about, “How we do things here”.

This means far more than just formal communications. People's ideas of "how we do things here" are created and informed by many more things than we commonly think about. These include:

  • Physical buildings: open plan, or private offices? Brightly colored, or shades of grey? Staid and serious or bunting, bunting everywhere?

  • How we organize: rigid hierarchies and working processes, or fluid task-based teams?

  • What tools we use: clunky and unbending, or intuitive and fitting our needs?

  • How we talk to each other: can you go and perch on the boss's desk for a chat any time you like, or must you make an appointment with her PA three weeks in advance?

  • How we learn: most of us learn far more from our immediate colleagues than we ever do from formal training programs. Do people around us normally follow the security rules and processes, or routinely ignore them?

  • What we do when things go wrong: rush around looking for someone to blame, or pitch in and fix things?

None of these things, individually, are right or wrong. Different approaches are needed for different situations. But these are the things that inform people’s real experiences at work. Official comms may only match the organization’s aspirations and ideals, and this isn't always the same thing!

Campaigns aimed at changing security behavior are likely to fail if they clash with people’s underlying knowledge of “how we do things here”. This is even more so if the security rules and practices involved don’t fit people's real needs.

Another complicating factor is that large organizations don't usually have just one, single security culture (any more than they have a single business culture). There can easily be several different cultures, existing side by side, in separate parts of the business. This is natural and inevitable, but it does mean it's very hard to identify and spread correct, useful security messages that apply to everyone in the organization, and which everyone interprets in the same way.

How to make real changes

To improve your organization's security culture, you must first hear and understand the messages your organization sends out about "how we do things here". You must also listen to the messages people are sending back, and demonstrate that you are paying attention to what you are told. Only then can you start to understand what really needs fixing in your business, and build the foundations of a strong, healthy security culture.

When you act, don't confine yourself to your usual ways of doing things. Consider trying new ideas, to engage and connect with employees in a different way. Normal People tend to think they know what to expect from Security. By giving them something different you can start to involve and engage people, and bring them along with you. This in itself, is the start of changing the conversation and kicking off a fresher, more positive security culture in your organization.

The goal is to support users so they can do the right things without feeling they need to break the rules. Here's a few examples of common problems, and some ideas on how to put them right:

 

1. Tough choice

Organization says: "Security is a critical enabler for our business. Security is very important to us".

Organization does: Have a security manual that is long and detailed but rarely referred to day-to-day. Its rules conflict with what needs to be done in practice.

People hear: “Security and business demands don't actually match up, and business always wins. Security isn’t really that important here”.

How to improve: Look at where your security policies clash with common practice. Amend or abandon policies that no longer work. Give users reasonable ways to do their jobs. Let them tell you where security doesn't meet their needs - and then do something about it!

Where security requirements clash with business need, involve the right decision-makers in resolving the problem in a way that works for your business, but meets your organization's overall risk appetite. This might mean making pragmatic compromises, or carrying extra risk for a period until you can put a better solution in place. Either way, the organization should take the responsibility.

Don't leave your users stuck between a rock and a hard place: having to choose whether to follow the policy, or do their jobs.

2. Password juggler

Organization says: “Our work is very important. We expect you to work hard and focus 100%. But Security is important too!”.

Organization does: Expect users to juggle multiple complex passwords to log on, which they are not allowed to share or write down.

People hear: “We don’t know, or don’t care that humans can’t achieve this task. We have not invested in anything to cut the time you spend on authentication, or make it more secure, or make your lives easier. Security isn’t really that important here, and neither are you”.

How to improve: Recognize that people aren't computers. Tailor your expectations to what people can reasonably achieve. Examine your password practices and introduce better authentication solutions.

If you keep finding passwords on post-it notes around the office, it doesn't mean your users are losers - it means your password policies aren't working for them.

3. Rules are rules

Organization says: "You must know the rules, and obey them. If you break the rules, we will punish you. This is for your own good. Security is very important here".

Organization does: Actively look for people who are breaking the rules, and punish them without considering why they broke the rules - even if the member of staff was trying to do the right thing, but couldn't find a permitted way to do it.

People hear: “We are keener on punishing you if we catch you out, than helping you to do things right in the first place. It's in your best interest to hide your rule-breaking from Security - don't let them get in the way of the job. Security isn’t really that important here.”

How to improve: Figure out why people are breaking the rules. This might mean gathering different incident data, in more detail than you have done previously. Decide what would help people to comply: Change the system? Change the rule? Educate the user?

The bottom line

If users think Security is there to catch them out, they won't come to you with their problems. They will do their best to hide their necessary shortcuts and workarounds.

If you don't know what your staff are doing, you can't assess or mitigate the risks. The result is much more hidden risk for your organization. Fundamentally, security that doesn't work for people, doesn't work.

But I don't know where to start!

Don't panic.

You're not alone. This issue is one that many people and organizations struggle with. We'll be bringing out new guidance in the next few months, to help you start improving your organization's security story - developing and maintaining positive security cultures that help your business to run more efficiently and effectively, as well as more securely.