Among all the discussions of breaches and malware, one topic that rarely arises is the impact organizational culture has on information security. While controls, policies and processes are the building blocks of a security program, it is people who must execute that program. Culture is a vital part of any organization. Based on our 20 years of security experience, security programs are most successful when they align with the company culture.
So what is a good security culture?
Military leaders have known for centuries the impact culture has on armies. Soldiers who care about their country, unit and mission, fight harder, react quicker and protect each other better. As such, the military fosters qualities of personal responsibility, loyalty and collaboration among its members to build a strong internal culture. We can learn from this model and adopt it for information security.
A healthy culture begins with effective leadership. Whether that is executive or departmental leadership, there are key behaviors these leaders can cultivate to strengthen the security culture.
Do you cherish feedback?
Effective leaders do not merely accept feedback, they cherish it. Leaders must be conspicuously appreciative of feedback. Far too many leaders cut themselves off from their organization so they will not be “bothered” with the details. It is this hubris that erodes trust and care. Secure environments obsessively seek to bring everybody to the table and solicit feedback. Listening to feedback does not mean every suggestion must be implemented. It is leadership’s role, to sort out the good ideas from the mediocre ones.
Feedback promotes involvement. It gives people a stake in the security of the organization and allows them to be a part of developing and enforcing it.
Do you plan strategically?
Mature companies plan at every level: tactically, operationally, and strategically. For IT departments, it is easy to become mired in the operational details and tactical fire-fighting of daily support. This leads to a lack of focus and security controls misaligned with business requirements. Technology vendors often exploit this weakness and sell products that are unnecessary or beyond the skill level of the team.
It is vital for organizations to step back and analyze the security and risk of the entire organization. Large, organizational-wide risk assessments are an ideal way to drive this process. These efforts should focus on identifying projects that align with long-term business and security needs. This also helps define the technologies necessary to support those goals, thus preventing vendors from distracting the team.
Strategic planning provides people with vision, which helps bolster faith in the organization and its longevity.
Are you agile?
Imagine that you had to replace a critical application in your environment next week. Could you handle this? Change is the essence of technology (and security for that matter). Being strong and resilient is not as important as being agile.
Today’s security teams and technologies must adapt, quickly, to rapidly changing threat landscape. IT projects and security efforts should be evaluated not only for value to the business, but also agility they can deliver. People are naturally resistant to change. It is therefore vital that leadership not merely embrace change, but establish change as “the new normal.”
Do you tolerate excuses or complaining?
Complaining has become the most pernicious vulnerability facing organizations. Complaining employees do not merely waste time, they also build a toxic environment. The only thing worse than complaining, is tolerating complaining.
A culture of security must be a culture that is devoted to solving problems. That means seeing risk as something that must be aggressively reduced using whatever resources can be acquired. It also means making the most of the resources you have.
Leaders who want a strong internal culture should adopt a “zero tolerance” policy for complaining. Everybody should be expected to come to the table with solutions to problems , not just complaints.
Is perfection the enemy of good?
The only thing worse than no security is trying to implement perfect security. It is impossible to fully eliminate all risk. As such, all security and risk management is shades of “good enough.” Do not allow the organization to accept no solution as an alternative to the perfect solution. Just because you have weak controls, limited staff or poorly worded policies, does not mean you throw them away because they are not perfect. This is where maturity modeling can be effectively used to monitor control effectives and growth.
Does the staff care?
People protect things they care about. Parents protect their children, soldiers protect their country, happy employees protect their employer.
Getting people to care about their workplace will have the most lasting and profound impact on organizational security. However, this takes building a culture of shared core values.
This starts with “why?” Why are you in business? Why do you do what you do? Why do you care? Why should anybody care about the business? These are big questions that everybody, especially information security teams, should be able to answer. If your people cannot define these “whys”, then why would they care?
For example, at our business we have seven core values: Rational, Pragmatic, Service, Excellence, Effective, Integrity, Responsibility. Rational, in our values statement, states: “We value reason. We use the time-honored principles of the Scientific Method for our work.” This is a value all employees at our company share. Those that do not share this value, do not work at our company. We care about this value. It defines us as a business. Likewise, our security program reinforces this value of reason wherever possible.
Security teams need to reflect on the core values of their business. The difference between a good security program and a great one is how well the program aligns with the values of the organization.
Furthermore, getting people to care means letting them care. People want to make things better. The more we tell people they do not matter, the less they will care. Everybody must have a seat at the security table. Everybody must know their contribution matters.
Finally, leadership must fully embrace a security culture. If executives are routinely exempting themselves from security controls, this erodes trust and diminishes the culture.
Security culture does not come overnight. It is not an appliance you plug in and it begins installing culture agents on all your employees. Culture takes time to build, but it can have a big impact. Organizations where people care are fundamentally better at detecting, responding to, and eliminating threats. This is why the military is so focused on building and maintaining a strong culture of service, teamwork, and honor. These concepts make people react and defend better.