22 percent said that it was a recognition that security is a shared responsibility across the organization.
14 percent indicated that it had something to do with establishing formal groups of people that could help influence security decisions.
12 percent said that a good security culture meant that security was embedded into the organization.
That's a wide variety of ideas for what security culture is. And it shows the danger of not having a formal, industry-recognized understanding of what this concept really means. Just imagine being in a room where someone is talking about how critical it is to have a good security culture. Now, imagine looking all around the room and seeing virtually everyone (94 percent of the folks in the room) nodding in violent agreement. Seems like a real kumbaya moment, right? Nope. In reality, they are all agreeing to different concepts—preexisting assumptions about what they assume the speaker is referring to, but (and here's the danger) everyone believes they share the same definitional idea. Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.
Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.
At this point, you're probably asking yourself which of the five categories we most closely align with. For the most part, we believe that the 12 percent of those who indicated that a good security culture means that security is embedded throughout the organization should get the gold star. Respondents in this category made statements like, “we put security in high regard throughout the company.”
Your humble authors believe this is the most accurate representation of what a good security culture is. The definitions offered up within the other categories would naturally flow from this. Having security embedded throughout the organization and holding security in high regard will result in people following policies, having awareness of issues, and recognizing that security is a shared responsibility, and the intentional creation of groups who would serve as security advocates and liaisons.
Let's be clear. We believe that 12 percent of people offered a directionally correct response. But the other 88 percent of respondents also offered valuable insights. They offered ideas of things that we might consider evidence (or artifacts) of a good security culture.
We, as an industry, have a lot of work to do in making this idea of “embeddedness” and “high regard” something that is synonymous with how people generally define security culture. This understanding indicates much more than what surface-level security awareness can accomplish. It indicates a much deeper appreciation and value of security than simple policy acknowledgments or compliance will ever offer. This is something else—something different from the status quo.
A Problem of Overconfidence
The Forrester Consulting study also found that security leaders are overconfident that they have a good security culture. That's obviously not a good thing. Overconfidence means they believe that they've got things under control. These leaders have a semblance of security in their mind, and yet they're leaving themselves extremely vulnerable. They are, quite literally, operating under a false sense of security.
There's a phrase that I, Perry, have said for years: “A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?”
A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?
There are already embedded security-related attitudes, beliefs, values, behaviors, and social norms in every organization. Your goal as a leader is to be intentional about how you pinpoint and measure security-related aspects of the culture and how you intentionally shape those aspects. That means you must be proactive about security culture management. You need to understand how that can become part of your larger organizational culture management initiatives. Ultimately, you want security beliefs, values, behaviors, and social pressures woven all throughout the fabric of your larger organizational culture. The takeaway here is that you already have a security culture. What are you going to do with (or about) it?
You can't treat security culture as a black box topic. Security culture does not exist as an entity unto itself. You already have a security culture, whether you like it or not and whether it is good or not. Security culture is inexorably intertwined within your larger organizational culture. The question you need to deal with is what are you going to do with (or about) these security-related aspects of your larger organizational culture?
It's your move.
Takeaways
Security and business leaders are realizing that humans are a critical layer within their security programs.
Recognizing humans as an important layer in your security program does not negate the importance of technical defenses.
The question isn't whether or not you have a security culture; it's how you need to engage it.
Leaders agree that security culture is a critical aspect of risk reduction, but there is little agreement on what constitutes a good security culture.
Security leaders are often overconfident in the maturity of their security culture, resulting in a false sense of security.
This book will give you the necessary information and tools to begin shaping your security culture.
Chapter 2 Up-leveling the Conversation: Security Culture Is a Board-level Concern
Management is efficiency in climbing the ladder of success; leadership determines whether the ladder is leaning against the right wall.
Stephen Covey
Let's be honest—no organization will ever be fully secure. Security is a management process. It's the process of managing all the risks and threats that arise minute by minute, hour by hour, and day by day. You are never done. You can be more secure than you were yesterday, but you never arrive. You're always a zero-day threat, misconfiguration, or employee-related incident away from being less secure than you were just a minute ago.
This is a critical concept for organizational leaders and their boards of directors. So, if you are one of those leaders, or if you have influence over one of those leaders, read on. This chapter will serve as an overview of why security culture and your human-layer defenses deserve attention at the highest levels of your organization. And, while we don't want to be fear mongers or party killers, we will also briefly discuss the cost of ignoring your security culture or taking it for granted. Lastly, we'll point you to some valuable resources that you can begin using right away.
A View from the Top
If there is one good thing that comes from all the media reporting about cyber breaches around the world, it is that virtually every organization now recognizes the need to shore up their cyber defenses. Along with that recognition comes the need to communicate clearly throughout the executive team and board of directors about the organization's risks and cyber readiness. This isn't to say that every member of the board of directors and executive team needs to become an expert in cybersecurity in addition to their current expertise, but they do need to become experts in understanding the risks that cyber-related events might have on the business.
Risk is the key word. Executives manage based on risk, reward, and opportunity. Conversations about security for the sake of security will have limited