In your opinion, what are 3 key elements to succeed in a positive security culture, and what tips can you provide to implement change, successfully?
I define security culture by combining the Oxford dictionary´s definition of culture and security, which yields the following:
The ideas, customs and habits of a particular group, that helps them feel free from threat and danger.
Using a definition like this one helps us pinpoint exactly what it is we as security professionals are charged to do, that is, help our employees stay away from threats and danger.
Three key elements that can help organizations succeed in building a positive security culture are:
– Understanding your threats and levels of danger;
– Understanding who your employees are; and
– Creating a program to enhance the security and reduce uncertainty.
Understanding your threats and levels of danger is something most security professionals understand how to do. It is about risk assessment, defining risk acceptance, doing proper risk analysis, and making informed business decisions based on those analyses. Nothing new there.
Understanding who your employees are seems a bigger challenge for some security professionals. The key here is to connect with the different employees (perhaps not every single one, as that would be a challenge in most enterprises). Interview people in different departments and try to understand the challenges they face in their jobs. The more you learn about your colleagues, the easier it becomes to understand how your security measures can be adapted to the needs of the organization and the people who comprise it.
Creating a program to enhance security and reduce uncertainty relies on both points above. Use a framework like the Security Culture Framework to define goals, engage the right people in your organization, and then choose the topics and activities that can help you reach your defined goals. A framework helps guide you through the steps necessary to develop the competence and awareness amongst your colleagues, as well as helps you to define clear metrics that you can use to track your progress.
A final tip: involve others in your efforts. There are other people, offices and departments who know how to build and maintain work cultures, and there are others who may be better suited to communicate with and train your employees.
Most importantly, when handling change, be in control of the change and don´t let the change take control of you!
Kai Roer | The Roer Group | Senior Partner | @kairoer
To find out more about our panel members visit the biographies page.
[wp_ad_camp_4]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.