Provide feedback on this document
Visit the Information Security Management Knowledge Center community
No security policies, standards, guidelines or procedures can foresee all of the circumstances in which they are to be interpreted. Therefore, if stakeholders are not grounded in a culture of security, there is potential for improper actions.
Security should not be considered adverse to mission achievement; where that is so, there is clear evidence that security is a weak part of the overall culture of the enterprise and allows security to be seen as prohibition rather than enablement. Among the rationales for a culture of security is the alignment of security with the enterprise as a whole.
The culture determines what an enterprise actually does about security (or any other objective) and not what it says that it intends to do. An effective security culture supports the protection of information while also supporting the broader aims of the enterprise. To sustain a security culture, it is critical to understand whether it was created in a purposeful manner or by “accident.”
A culture of security is not an end in itself, but a pathway to achieve and maintain other objectives, such as proper use of information. The greatest benefit of a culture of security is the effect it has on other dynamic interconnections within an enterprise. It leads to greater internal and external trust, consistency of results, easier compliance with laws and regulations and greater value in the enterprise as whole.
Creating a Culture of Security by Steven J. Ross, Risk Masters discusses how to achieve a meaningful, intentional security culture. It provides information on the benefits of, and inhibitors to, a culture of security. It discusses positive and negative reinforcement strategies and the steps to take to achieve the right balance in a security culture program.