Long suffering readers of this column will be familiar with the importance of security culture in driving behavioural change. This month I caught up with Kai Roer, founder of the Roer Group and author of Build a Security Culture. Kai has created a free resource called the Security Culture Framework and runs a blog at Roer.com.
What is security culture?
Security culture is security awareness that actually works. Culture can be defined as the ideas, thoughts and behaviours of a particular group or people, meaning it is the rules – visible and hidden – that forms and informs that groups members way of thinking and being. Security culture is a subset of culture, the part of culture that works on security – both positive and negative. For example: a negative security culture is seen in organizations where people do not follow policies (or they do not exist), or training efforts do not teach members what is the right behaviour. A positive security culture is one where each member is helping each other to do the right thing – like explaining to the new-comer that “We always carry our badges visibly”, and by openly inform the rules, regulations and expectations. Culture in general comes with a high expectation of conformability – and it seems like humans are hard-wired to conform to the norms in a culture almost automatically. Most of the times, we don´t even know that we do – we just do what is expected from us. Understanding how these strong currents impacts our group or organization, and how we can work to change the culture to create the currents we need, makes culture an important security control – one that either works against you, or with you to form security culture.
Do you think Security Professionals understand security culture?
The answer depends on your definition of a security professional. Security professionals comes of all sorts – from cybersecurity malware researchers to QHSE-professionals – from operative support personnel to military tac-teams. So on a general note, I would say yes, security professionals understand security culture. That is not the same as understanding how to build and maintain security culture – something very few security professionals do. It is also important to understand that some of these groups know more about security culture than other groups. I think it is a safe claim to make that some cybersecurity professionals fail to understand what security culture is. The more interesting question, in my opinion, is “should we expect cybersecurity professionals to know about, and build security culture?”
I often hear that security awareness is a responsibility that lies within the cybersecurity group, and as such, it must be the same group who should train, build and maintain security culture. I question that assumption. I believe that the security content and competence needs to come from the cybersecurity group, but that is not the same as making that technical team in charge of building and maintaining security culture. In fact, I suggest using resources from HR and Marketing, and project managers from the project office, when it comes to building and maintaining security culture.
And of course, my claim that most security professionals understand security culture, is not saying that they are able to define it, nor point at it. That is one of the areas we are helping with through the Security Culture Framework. The Security Culture Framework is a free and open framework to build and maintain security culture in organizations. I created this framework some years ago, and decided to give it away for free in order to help more organizations worldwide, and to build a community of like-minded professionals to meet and discuss security culture.
Where can people find out more about the Culture Framework?
The framework is available for free at scf.roer.com – where you can download templates, join the community and share your experience. We also have a monthly Google hangout where we talk security culture with fantastic security awareness specialists such as Rebecca Herold and Lance Spitzner. This year we’re also doing the first Security Culture Conference, where people from around the world can meet, learn and discuss security culture.