Information security culture is an iceberg principle. What you see above the surface in the form of people's behaviors...
and decisions is just the tip. Below the tip lie the priorities, values and beliefs that drive those behaviors. Every security decision -- from what a security policy requires to whether or not people routinely ignore or resent that policy -- has a reason. We often don't think about those reasons, and security culture becomes simply the way we do things around here.
If you really want to appreciate your information security culture, go experience a different one. Organizational culture tends to fade into the background. Go elsewhere, like another company, and the new security culture may feel alien. Maybe you'll have full admin rights on your corporate laptop, where before it was locked. Or perhaps it will be the opposite, and now the security team seems to always be looking over your shoulder. Ask a new colleague and they'll shrug, "Hey, that's just the way we do security."
Short of leaving the organization you're currently in, can you transform a company's information security culture? Icebergs tend to move because of the mass underneath. The tip is just along for the ride. What signs show the organization's culture is changing, and the iceberg is altering its course? It's hard measuring what people think and believe, but that's where cultural transformation happens. Fortunately, there is a correlation between culture and behavior. One of the first places to look for change in information security culture is a change in security decisions and activities, and the behaviors that are driven by it.
Consider an organization that neglects IT security. The CISO struggles to get a bigger budget and more resources. A culture of resistance pushes back on every new policy and initiative. People flout security standards with impunity. Then, a major, public data breach occurs. Suddenly, reporters and regulators are asking questions. Customers are angry. The company is forced to throw buckets of cash at the incident, hiring consultants and paying for credit-monitoring services. It's a nightmare.
But something amazing happens. Suddenly, everyone takes security seriously. Budgets and staff grow overnight, while once rare behaviors become standard operating procedure. Resistance to security changes into support. The iceberg moves. This is often how security culture changes, but it is also the most disruptive and painful of transformations. I don't recommend it.
What I do recommend is a robust security, training, awareness and culture (STAC) program that focuses on having more than just basic training in order to check a compliance box. Effective STAC programs produce sophisticated security capabilities that foster the same fundamental changes as those caused by a breach, but with more control and far less disruption. They do this by targeting thoughts and beliefs, and then measuring decisions and behaviors. Several observable changes result from effective STAC programs.
A common security-awareness error is to target behavioral change, then claim cultural transformation. If you threaten to fire employees for clicking on too many phishing emails, then you'll succeed in getting them to stop clicking. But that doesn't mean you've changed what they believe. They may stop clicking on all email links, even legitimate ones. If you stop threatening, then they'll start clicking again. Their behavior is externally motivated, not internalized. That's not culture.
STAC programs targeting culture look for behaviors that remain stable, even after you stop reminding people. If an antiphishing campaign teaches people to mistrust emails, provides skills to recognize phishing and motivates users to report problems -- maybe through a game -- user beliefs and attitudes change. The STAC team measures whether phishing rates stay lower, even after the campaign ends. If they do, the behavior has been internalized. That's culture.
Engagement and communication
Another way of measuring security culture change is to just listen. People talk about what they think is important, not things they don't care about. Consider how often security is discussed in your organization. The security team certainly talks about it a lot. But does anyone else? Many organizations only talk about security when things go wrong, when it's time for security training or audits, or during National Cyber Security Awareness Month.
One goal of effective STAC programs is to get people talking about security more often. This can involve conversation starters, like posters, flyers or scwag. Even better, security ambassadors and champions can be recruited to evangelize security internally. What STAC teams really want to observe is security becoming a hot topic for company leaders, in staff meetings and around the watercooler. If people talk security as often as they talk about their job or manager, you know you're on to something.
Resources and rewards
Nothing says this is important like money. If you want to see what a company culture really values, look at what they fund and reward. No matter how much the organization says it values security, if it pays a premium for decisions favoring goals like increasing profitability or productivity, you'll understand the real priorities.
A sure sign of changing security culture is change in security resourcing and support, including rewards for decisions that prioritize security over competing enterprise goals. Security is always a business tradeoff, and one measure of security culture is the organization's willingness to sacrifice things in favor of more security. Security won't always be the most important thing. But stronger security culture means it stops always being the least most important thing.
Information security culture is real and it's measurable. That doesn't mean it's easy to transform, or obvious when it changes. Organizations must be willing to expend time and effort to detect the signs. For those that do, it offers a tremendous source of security value.
About the author: Lance Hayden, managing director in the Houston office of Berkeley Research Group, has worked in information security for 25 years, beginning his career as a human intelligence (HUMINT) operations officer with the Central Intelligence Agency. He has acted as a trusted security adviser to government, military and enterprise customers across industries, including banking and finance, insurance, healthcare, retail, energy and internet service providers. A regular speaker and contributor in information security industry conferences and publications, Hayden is also the author of IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data and People-Centric Security: Transforming Your Enterprise Security Culture, both from McGraw-Hill.
Find out the best ways to foster an improved security culture
Read more on the drawbacks of having a blank check for security spending
Discover why cybersecurity strategies need to be more dynamic