Since I created the Security Culture Framework in 2012 and open sourced it in 2013, the interest in security culture has exploded worldwide. When I first started in the industry, security culture professionals were but a small group of specialists in the US and Europe, discussing how we, based on our experience, built functional security cultures in organizations around the world.
Today, only a few years later, the interest in security culture is truly global, with a large number of organizations applying the principles of the framework to build and improve their security culture.
In my opinion it is important to accept the fact that all organizations have a security culture—whether they acknowledge it or not. This means that a poor security culture may have a negative impact on your organization, opening the organization up to external and internal risk and data breaches. A security culture can (and should) be improved, thus making the improvement a potential benefit.
Security culture is defined as the ideas, customs and social behavior of a group (organization) that keeps it secure. To be secure is one clear benefit of a security culture. What being secure really boils down to are the risk assessment, risk acceptance and risk mitigation strategies of the organization. No two organizations are the same in this respect. A risk-focused approach to security culture is a very good idea, as it allows you to direct your efforts to where they will make most sense for the organization.
An organization with a high risk appetite may choose to focus less on security culture than an organization with a low appetite. As long as they understand the short- and long-term outcomes of such a strategy, I have no problem with such a choice being made. The challenge arises when an organization finds itself in the blind—believing they are doing the right things, while waking up brutally one morning with all their data records being leaked to the press, and then, upon closer inspection, discovering that their awareness training programs worked very well to check a box once a year, but did very little, if anything, to build and improve their security culture.
Making informed choices is part of a security culture. Understanding the threat landscape, the risk strategy, and then transforming this into a security culture program is the way to build and improve security culture.
I plan to write future blogs that will discuss the principles of the security culture framework and my experiences building security cultures around the world. I will also take questions and provide answers to your security culture questions.
What is your experience building and improving a security culture? Do you see any settings where an organization could accept a lesser security culture? If so, why?
Editor's note: Roer’s latest book, Build a Security Culture, is available for purchase at ISACA’s Bookstore.