The word culture conjures images of far off places, exotic customs and markets filled with noise, spice scents and the murmuring of many languages spoken at once at varying volumes; but add the word “corporate” to that and the images collapse on a very different connotative space. Corporate culture, while influenced by geography, ethnicity and demography, is in fact a very different beast that gets very personal for us every day: where does authority come from? how do things get done? how do issues get resolved? how is progress made? what is the very nature of progress?
If we go a step further and change the modifier from “corporate” to “security,” the images change yet again and usually for the negative. Worse, we immediately think of how to train people to not click on an email or how to choose strong passwords that they don’t put on stickies somewhere, but that’s a simple checklist approach to security and frankly is a quixotic pursuit. Let’s take a different route in looking at how to create a Security Culture. Let’s start by looking at “the security culture” and what that means, especially in light of it being National Cybersecurity Awareness month in the US, and seeing what the ingredients for that are. Then we can move on to look at how security culture relates to the wider notion of corporate culture or even the largest domain of overall culture.
Excluding wider notions of “culture,” the phrase “security culture” applies to two things:
- The culture of the security department itself
- The collection of security traits of all employee
If we start with the first, the security department is the living embodiment of most subject matter expertise in security and is the keeper of practices, policies and almost the “conscience” of the company from a security perspective. While this is, to some extent, always the case, there’s a risk of the security department becoming either the security scapegoat for the rest of the company (“I don’t have to do it because they do it for me”) or the “Dr. No,” bunker-protected secret police who turn up to scold people and stop real business from happening. Both are very dangerous, and an insular security department with it’s esoteric practices and often military or intelligence-backgrounded people can make these happen very easily.
Let’s start off by saying that the security department should embrace transparency, simplicity, clarity and service to others as core values. Further, they should never say no unless something is illegal or represents a risk that has not been weighed and considered by business owners. The purpose of security isn’t to say no, it’s to “yes, if” or “yes, and” at the business table.
Let’s be clear — the purpose of business is to take risks. If you want no risks, turn everything off. But as soon as you turn something on, risk enters the equation. The purpose of security is to highlight and mitigate IT-related (and sometimes physical security-related) risk, so the business can decide what risks to take and how to mitigate risk. That means not being all “cloak and dagger” but to instead be deeply involved in understanding the business and talking to non-security people. A lot.
Now we move on to the second form of security culture, which is influencing the behaviors and security traits of all employees. For this, I’m going to recommend that the security department understand the corporate culture first. The model I like best is the Schneider Model (a good discussion of this in an Agile context is here, but a simple Google search will turn up good reference; and my favorite book on the subject is the Re-Engineering Alternative, and a good summary of the four cultures from the link above is…
- Collaboration culture is about working together.
- Control culture is about getting and keeping control.
- Competence culture is about being the best.
- Cultivation culture is about learning and growing with a sense of purpose.
Whatever model you use, know where authority comes from and what the corporate culture pursues. Then, work with it and not against it. Most security cultures are control cultures, meaning they are hierarchical, military-like and authority comes from a single source; but that could be a culture clash within a wider corporate culture.
Take the time to understand the wider corporate culture, and avoid thinking about culture here in terms of geography or ethnicity. It doesn’t matter whether the company you work for or with is in Asia, Europe or another continent as much as it matters to understand how to influence and succeed within the corporate culture.
Once that is really understood and assuming the security department is tackling it’s own internal culture, it’s now able to move outside and start influencing the collection of behaviors and security traits of the wider body of employees. And here I will lean on the Agile Manifesto a bit, which emphasizes a few important things.
What do they all have in common? I’ll give a list of what matters most:
- Incremental improvement over delayed perfection
- Working face-to-face with people and not from behind processes and tools
- Making software that works
- Making things sustainable
- Making users first class citizens
- Responding to challenges instead of sticking to a plan – in fact welcoming change
If you know the ID-10-T error, it’s commonly cited by security people for incidents or, worse, for breaches. This is the “error between keyboard and chair” root cause analysis that is a terrible trap. The job of the security department isn’t perfect security for it’s own sakes; it’s practical security for the real people working in the company or with the company every day. And while many companies have adopted Agile principles in R&D, it always amazes me that so few company security departments roll up their sleeves and adopt Agile principles in security and in interacting with the primary customers.
To summarize, we need to start with the security departments internal culture and get that right: risk-centric, not Dr. No and transparent, clear and simple. Next, the security department needs to understand the nature of the wider corporate culture and how to influence it; and finally the approach has to be one of changing security traits in that culture by being humble, being pragmatic and borrowing from many of the core principles of the Agile movement to be effective: whittle away risk with incremental improvements, work with teams on their problems and work security that is sustainable and natural to employees into their jobs.
It takes time, but that’s how to build an effective corporate (cyber) security culture no matter what macro culture you belong too. On a final note, if you get a chance, you may also want to check out NETSCOUT’s Deb Briggs related post about something that hits closer to home for us personally as “cyber citizens” dealing with what often feels like an identity-theft siege.