If your security culture isn't improving naturally, here's what you can do about it.
Security culture, and how to improve it, is a hot topic for many UK organisations. This is a good thing, because - I think we can all agree - healthy and positive security cultures actively contribute to supporting and enabling business. Poor security cultures can undermine the efforts of otherwise diligent staff. The subject may be high profile at the moment but the fact remains: many employees across different kinds of organisations don't seem to feel they're part of positive workplace security cultures at the moment. Why is that, and what can we do about it? In this post I will consider the function that organisational security cultures serve, why our common conceptions of security culture can be wrong, and how we can create, maintain and - crucially - improve security culture in our own organisations.
What is security culture? Well, there is no single definition that works for everyone, in all circumstances (and that's ok). For now, we're considering how non-security specialists - you know, Normal People - tend to think about security culture. Ask Normal People what security culture means to them, and many will say that it's about the security decisions people make at work. Imagine a situation where people:
always remember the things they are supposed to do for security,
always do those things, at the right times and in the right circumstances, and
prioritise doing things in secure ways when needed,
Many people would call that a 'strong security culture'. Conversely, when people frequently skip vital security tasks, take risks and cut corners to get the job done, we have what is often called a 'poor security culture.' Does a strong security culture always help the business? Good question. From the list above, you might think that the stronger your security culture is, the stronger your business is. This is true - but only up to a point.
If people used all their brain power remembering things they are supposed to do for security, how would they do their actual jobs?
If they used all their time doing security related things, when would they do their actual jobs?
If they always prioritised doing things in secure ways, even when that stopped them doing their jobs...well, they couldn't do their actual jobs.
In business, it's crucial to balance the tensions between doing the job securely, and doing it at all.
How do we shape security culture? In deciding what we think security culture is, most of us don't look far below the surface. We consider our own security knowledge and skills, our attitudes and our decisions. We examine our behaviour, and our relationships with others. We look at what others say and do, and from that we try and infer their thoughts (this is fraught with peril, by the way). When thinking about how to change organisational security cultures, it's common for many of us to focus on these same superficial factors. Mostly we seek to increase knowledge, and shape attitudes and behaviour, by applying a fairly standard set of top-level, user-facing interventions. These fall under three broad headings: Awareness, Education and Training. This top-level focus is a mistake. It’s looking only ‘skin deep’. It's a bit like a doctor trying to cure a fever with paracetamol, but missing the patient’s gangrenous leg, the actual source of infection and fever[1]. Just like the physician in our example, if we want to create a healthy, positive security culture, we first need to take a step back. We need to look at the systemic factors underlying the things people do day-to-day. We also need to recognise that just as the doctor doesn't expect a patient to have advanced medical knowledge, as security professionals we can't expect everyone we meet to know everything we know about security. We have to meet them on their ground, and find solutions that help them in the ways they live their everyday lives. If we don't do these things, superficial behaviour-change initiatives cannot lead to long-lasting, positive cultural change.
How are security cultures really created?
Organisational security culture is intertwined with general organisational culture. This is shaped by messages sent out – at all levels, consciously and unconsciously - about, “How we do things here”.
This means far more than just formal communications. People's ideas of "how we do things here" are created and informed by many more things than we commonly think about. These include:
Physical buildings: open plan, or private offices? Brightly coloured, or shades of grey? Staid and serious or bunting, bunting everywhere?
How we organise: rigid hierarchies and working processes, or fluid task-based teams?
What tools we use: clunky and unbending, or intuitive and fitting our needs?
How we talk to each other: can you go and perch on the boss's desk for a chat any time you like, or must you make an appointment with her PA three weeks in advance?
How we learn: most of us learn far more from our immediate colleagues than we ever do from formal training programmes. Do people around us normally follow the security rules and processes, or routinely ignore them?
What we do when things go wrong: rush around looking for someone to blame, or pitch in and fix things?
None of these things, individually, are right or wrong. Different approaches are needed for different situations. But these are the things that inform people’s real experiences at work. Official comms may only match the organisation’s aspirations and ideals, and this isn't always the same thing! Campaigns aimed at changing security behaviour are likely to fail if they clash with people’s underlying knowledge of “how we do things here”. This is even more so if the security rules and practices involved don’t fit people's real needs. Another complicating factor is that large organisations don't usually have just one, single security culture (any more than they have a single business culture). There can easily be several different cultures, existing side by side, in separate parts of the business. This is natural and inevitable, but it does mean it's very hard to identify and spread correct, useful security messages that apply to everyone in the organisation, and which everyone interprets in the same way.
How to make real changes To improve your organisation's security culture, you must first hear and understand the messages your organisation sends out about "how we do things here". You must also listen to the messages people are sending back, and demonstrate that you are paying attention to what you are told. Only then can you start to understand what really needs fixing in your business, and build the foundations of a strong, healthy security culture. When you act, don't confine yourself to your usual ways of doing things. Consider trying new ideas, to engage and connect with employees in a different way. Normal People tend to think they know what to expect from Security. By giving them something different you can start to involve and engage people, and bring them along with you. This in itself, is the start of changing the conversation and kicking off a fresher, more positive security culture in your organisation.
The goal is to support users so they can do the right things without feeling they need to break the rules. Here's a few examples of common problems, and some ideas on how to put them right:
1. Tough choice 2. Password juggler 3. Rules are rules
The bottom line If users think Security is there to catch them out, they won't come to you with their problems. They will do their best to hide their necessary shortcuts and workarounds. If you don't know what your staff are doing, you can't assess or mitigate the risks. The result is much more hidden risk for your organisation. Fundamentally, security that doesn't work for people, doesn't work. But I don't know where to start!
Don't panic. You're not alone. This issue is one that many people and organisations struggle with. We'll be bringing out new guidance in the next few months, to help you start improving your organisation's security story - developing and maintaining positive security cultures that help your business to run more efficiently and effectively, as well as more securely. I touched on a lot of these themes in my keynote presentation from CyberUK2017 - the Director's Cut is presented below. Emma W People-Centred Security Lead, Sociotechnical Security Group [1] https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First-Step.pdf explains why training, education and awareness are important in security, but not enough by themselves.
Comments