Creating a security culture - awareness is not enough

For Cybersecurity Awareness Month 2019, I published a daily blog series especially for non-tech users.

I was thinking about writing another - shorter - security awareness related series this October. I deliberately used the word 'related' because the blogs will be about creating a security culture. As we will see in a bit, culture goes way beyond awareness.

In the meantime it's already October 25 and I certainly won't finish the different blogs I have in mind by the end of this month. But I'm happy to finally start off with the first post.

What and why?

The blogs in this series are aimed at security professionals who, like me, are on the path of creating a security culture.

I am by no means claiming to be an expert in this field, but I would like to share my own thoughts and experiences gained along the way. What worked and what didn't? And even more important, why didn't it work and how can we do better?

Hopefully it's useful for other security professionals and it spikes some good discussions about the topic.

At least there seems to be enough interest, so let's go!

Awareness

I guess every security professional has at some point been asked whether a certain solution is secure. Unfortunately, this question can't be answered correctly. Security is not binary, there’s no such thing as unhackable or 100% secure.

Photo by Clem Onojeghuo / Unsplash

Securing a product or service is a best effort exercise of making each link in the chain as resistant against compromise as possible. It's an unfortunate fact that we humans are the most vulnerable link.

That's why companies traditionally invest in security awareness. On wikipedia described as

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

Many organizations try to improve the awareness of their employees via yearly compliance training, lunch sessions, phishing simulations, posters in the hallway, etc.

Often it's just more of the same and people will get bored and lose interest. The exact opposite of what you want to reach.

I've made the same mistakes and it took me a while to realize that things needed to change. That's not to say that the above-mentioned activities can't or shouldn't have a place in your security culture program, but it's important to use the correct tool in your toolset for the job in hand.

Also keep in mind that you might have limited influence on certain awareness activities in corporate environments. However, this doesn't mean that you can't make a difference.

Just because I'm aware doesn't mean that I care

Awareness on its own is simply not enough. I really like how Perry Carpenter describes 3 realities of security awareness in his book 'Transformational Security Awareness'.

  • Just because I'm aware doesn't mean I care.
  • If you try to work against human nature, you will fail.
  • What your people do is way more important than what they know.

What you really want is a security culture. But what is a security culture actually? Well, let's first look at how Merriam-Webster defines culture:

A way of thinking, behaving, or working that exists in a place or organization (such as a business)

Security culture is culture that impacts security in an organization. Within a security culture good security practices are part of the daily life of every employee in your organization.

Can you spot the differences between awareness and culture? While awareness is about what people know, culture is about how people think and behave.

Creating a security culture is not a one off, but a continuous and iterative improvement process, with clear goals and metrics. It is a program with different projects which you must plan and manage. It's not something that just will happen.

I'm not going to show you project management plans in the upcoming blogs, but like I wrote earlier I'll share my own thoughts and experiences about topics like security champions (or advocates), security onboarding and communication to name a few.