Security culture, and how to improve it, is a hot topic for many UK organisations.
This is a good thing, because - I think we can all agree - healthy and positive security cultures actively contribute to supporting and enabling business. Poor security cultures can undermine the efforts of otherwise diligent staff.
The subject may be high profile at the moment but the fact remains: many employees across different kinds of organisations don't seem to feel they're part of positive workplace security cultures at the moment. Why is that, and what can we do about it?
In this post I will consider the function that organisational security cultures serve, why our common conceptions of security culture can be wrong, and how we can create, maintain and - crucially - improve security culture in our own organisations.
What is security culture?
Well, there is no single definition that works for everyone, in all circumstances (and that's ok). For now, we're considering how non-security specialists - you know, Normal People - tend to think about security culture. Ask Normal People what security culture means to them, and many will say that it's about the security decisions people make at work.
Imagine a situation where people:
- always remember the things they are supposed to do for security,
- always do those things, at the right times and in the right circumstances, and
- prioritise doing things in secure ways when needed,
Many people would call that a 'strong security culture'.
Conversely, when people frequently skip vital security tasks, take risks and cut corners to get the job done, we have what is often called a 'poor security culture.'
Does a strong security culture always help the business?
Good question. From the list above, you might think that the stronger your security culture is, the stronger your business is. This is true - but only up to a point.
- If people used all their brain power remembering things they are supposed to do for security, how would they do their actual jobs?
- If they used all their time doing security related things, when would they do their actual jobs?
- If they always prioritised doing things in secure ways, even when that stopped them doing their jobs...well, they couldn't do their actual jobs.
In business, it's crucial to balance the tensions between doing the job securely, and doing it at all.
How do we shape security culture?
In deciding what we think security culture is, most of us don't look far below the surface. We consider our own security knowledge and skills, our attitudes and our decisions. We examine our behaviour, and our relationships with others. We look at what others say and do, and from that we try and infer their thoughts (this is fraught with peril, by the way).
When thinking about how to change organisational security cultures, it's common for many of us to focus on these same superficial factors. Mostly we seek to increase knowledge, and shape attitudes and behaviour, by applying a fairly standard set of top-level, user-facing interventions. These fall under three broad headings: Awareness, Education and Training.
This top-level focus is a mistake. It’s looking only ‘skin deep’. It's a bit like a doctor trying to cure a fever with paracetamol, but missing the patient’s gangrenous leg, the actual source of infection and fever.
Just like the physician in our example, if we want to create a healthy, positive security culture, we first need to take a step back. We need to look at the systemic factors underlying the things people do day-to-day.
We also need to recognise that just as the doctor doesn't expect a patient to have advanced medical knowledge, as security professionals we can't expect everyone we meet to know everything we know about security. We have to meet them on their ground, and find solutions that help them in the ways they live their everyday lives.
If we don't do these things, superficial behaviour-change initiatives cannot lead to long-lasting, positive cultural change.
How are security cultures really created?
Organisational security culture is intertwined with general organisational culture. This is shaped by messages sent out – at all levels, consciously and unconsciously - about, “How we do things here”.
This means far more than just formal communications. People's ideas of "how we do things here" are created and informed by many more things than we commonly think about. These include:
- Physical buildings: open plan, or private offices? Brightly coloured, or shades of grey? Staid and serious or bunting, bunting everywhere?
- How we organise: rigid hierarchies and working processes, or fluid task-based teams?
- What tools we use: clunky and unbending, or intuitive and fitting our needs?
- How we talk to each other: can you go and perch on the boss's desk for a chat any time you like, or must you make an appointment with her PA three weeks in advance?
- How we learn: most of us learn far more from our immediate colleagues than we ever do from formal training programmes. Do people around us normally follow the security rules and processes, or routinely ignore them?
- What we do when things go wrong: rush around looking for someone to blame, or pitch in and fix things?
None of these things, individually, are right or wrong. Different approaches are needed for different situations. But these are the things that inform people’s real experiences at work. Official comms may only match the organisation’s aspirations and ideals, and this isn't always the same thing!
Campaigns aimed at changing security behaviour are likely to fail if they clash with people’s underlying knowledge of “how we do things here”. This is even more so if the security rules and practices involved don’t fit people's real needs.
Another complicating factor is that large organisations don't usually have just one, single security culture (any more than they have a single business culture). There can easily be several different cultures, existing side by side, in separate parts of the business. This is natural and inevitable, but it does mean it's very hard to identify and spread correct, useful security messages that apply to everyone in the organisation, and which everyone interprets in the same way.
How to make real changes
To improve your organisation's security culture, you must first hear and understand the messages your organisation sends out about "how we do things here". You must also listen to the messages people are sending back, and demonstrate that you are paying attention to what you are told. Only then can you start to understand what really needs fixing in your business, and build the foundations of a strong, healthy security culture.
When you act, don't confine yourself to your usual ways of doing things. Consider trying new ideas, to engage and connect with employees in a different way. Normal People tend to think they know what to expect from Security. By giving them something different you can start to involve and engage people, and bring them along with you. This in itself, is the start of changing the conversation and kicking off a fresher, more positive security culture in your organisation.
The goal is to support users so they can do the right things without feeling they need to break the rules. Here's a few examples of common problems, and some ideas on how to put them right:
1. Tough choice
Organisation says: "Security is a critical enabler for our business. Security is very important to us".
Organisation does: Have a security manual that is long and detailed but rarely referred to day-to-day. Its rules conflict with what needs to be done in practice.
People hear: “Security and business demands don't actually match up, and business always wins. Security isn’t really that important here”.
How to improve: Look at where your security policies clash with common practice. Amend or abandon policies that no longer work. Give users reasonable ways to do their jobs. Let them tell you where security doesn't meet their needs - and then do something about it!
Where security requirements clash with business need, involve the right decision-makers in resolving the problem in a way that works for your business, but meets your organisation's overall risk appetite. This might mean making pragmatic compromises, or carrying extra risk for a period until you can put a better solution in place. Either way, the organisation should take the responsibility.
Don't leave your users stuck between a rock and a hard place: having to choose whether to follow the policy, or do their jobs.
2. Password juggler
Organisation says: “Our work is very important. We expect you to work hard and focus 100%. But Security is important too!”.
Organisation does: Expect users to juggle multiple complex passwords to log on, which they are not allowed to share or write down.
People hear: “We don’t know, or don’t care that humans can’t achieve this task. We have not invested in anything to cut the time you spend on authentication, or make it more secure, or make your lives easier. Security isn’t really that important here, and neither are you”.
How to improve: Recognise that people aren't computers. Tailor your expectations to what people can reasonably achieve. Examine your password practices and introduce better authentication solutions - look at our guidance for help.
If you keep finding passwords on post-it notes around the office, it doesn't mean your users are losers - it means your password policies aren't working for them.
3. Rules are rules
Organisation says: "You must know the rules, and obey them. If you break the rules, we will punish you. This is for your own good. Security is very important here".
Organisation does: Actively look for people who are breaking the rules, and punish them without considering why they broke the rules - even if the member of staff was trying to do the right thing, but couldn't find a permitted way to do it.
People hear: “We are keener on punishing you if we catch you out, than helping you to do things right in the first place. It's in your best interest to hide your rulebreaking from Security - don't let them get in the way of the job. Security isn’t really that important here.”
How to improve: Figure out why people are breaking the rules. This might mean gathering different incident data, in more detail than you have done previously. Decide what would help people to comply: Change the system? Change the rule? Educate the user?
The bottom line
If users think Security is there to catch them out, they won't come to you with their problems. They will do their best to hide their necessary shortcuts and workarounds.
If you don't know what your staff are doing, you can't assess or mitigate the risks. The result is much more hidden risk for your organisation. Fundamentally, security that doesn't work for people, doesn't work.
But I don't know where to start!
You're not alone. This issue is one that many people and organisations struggle with. We'll be bringing out new guidance in the next few months, to help you start improving your organisation's security story - developing and maintaining positive security cultures that help your business to run more efficiently and effectively, as well as more securely.
I touched on a lot of these themes in my keynote presentation from CyberUK2017 - the Director's Cut is presented below.
People-Centred Security Lead | Sociotechnical Security Group
 https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First-Step.pdf explains why training, education and awareness are important in security, but not enough by themselves.