A security culture is the part of a business culture’s self-sustaining patterns of behavior and perception that determine how (or if) the organization pursues security. It is an amalgamation of perceptions about and behavior toward the business’s own IT and security systems, security policies, and operational security practices or projects. Security culture is not fixed, it is constantly evolving based on people’s experiences and social interactions.
Security culture can impact an organization’s risk levels, compliance posture, and costs or benefits in both positive and negative ways. Business and security leaders ignore it at their own risk, or they can leverage it to get better outcomes.
A security culture strategy is a conscious effort by security and business leaders to transform their de facto security culture into one that’s more conducive to information protection and risk management. The strategy also seeks to sustain security culture at the desired state as the business changes over time.
The way that the security organization communicates and aligns with the business along with user awareness and training programs is a primary tool for improving the security culture. In a healthy security culture, the security team’s communications and the awareness programs have a higher chance of success. Even in a more negative setting, the right communications and awareness messaging carried out over time can help improve the security culture. A stronger security culture will then ease many other cybersecurity challenges.
4.2.1 Your Greatest Vulnerability?
Thought leader Edgar Schein once said about business culture in general: “If you do not manage culture, it manages you, and you may not even be aware of the extent to which this is happening.” Likewise, security culture can make or break a security program.
In fact, the root cause of many security breaches is not technology, but a “people” vulnerability such as an employee being tricked by a phishing message or other social engineering exploits into giving away credentials or installing malware. In other cases, a failure to follow a process, such as change control, is the culprit. Often, multiple things go wrong. A breach rarely is, and in fact should not be, caused by just one vulnerability.
Consider your own organization’s security culture, and ask yourself what would happen in the following “day in the life of a security program” examples:
When budgeting comes around and the CISO presents a reasonable plan, but the CFO criticizes “unnecessary expenses”
When the development manager waives the security design review because the project is behind schedule
When the Agency Director demands immediate firewall rule changes that could expose taxpayer databases to the Internet
When a potential breach is discovered for the business’s French customers’ data, there’s no detailed response plan, and the CISO goes to the Chief Counsel with a warning about 72-hour General Data Protection Regulation (GDPR) breach notification requirements
When a mutating zero-day virus has been reported at three sites, and the CISO recommends shutting down the network to affected regions with critical business applications
When the VP of Sales receives a demand from the company’s largest account in Dubai for contact information on all attendees at a recent business conference, even though sharing this personal data was not in the conference agreement and could violate compliance regulations
When faced with an apparent no-win choice between business and security values, what will the management team do? Will it reason through the issues to find the least-bad choice or brainstorm a third way out, learn from the experience, and update company policies to clarify similar circumstances in the future?
Or will a series of unproductive meetings end with escalation to the CEO, bad choices, acrimony, and blaming? How did the organization get to this point?
FINANCIAL SERVICES COMPANY HEAD OF INTERNAL AUDIT’S STORY
“Since more than 80% of the company’s applications were custom developed, the global Chief Technology Officer (CTO) played a critical role. In conversation, it was clear to me that, the CTO understood the need for secure application development and the underlying risks. However, he felt that development organizations did not have additional budget to incorporate these practices and capabilities.
I recall attending a meeting with the CTO and senior engineering and development executives to get them aligned on the urgent need for secure development and operating practices for their transaction processing systems. Surprisingly, the development executives were vigorously resistant: ‘Why can’t engineering take care of security? We are development and we need to focus on building product quickly – our focus is on writing code that is fast, optimizes the user experience, and enables us to get features to market quickly.’
To help the CTO further understand the risk, I asked a question: ‘So across the infrastructure, is traffic encrypted?’ No one seemed to have a definite answer and after substantial discussion, the conclusion, was: ‘No.’ I continued: ‘Then where is the data security coming from if confidential transaction data travels are over public spaces and physical pipes?’ Much to my surprise, the application development and infrastructure security teams started pointing fingers at each other instead of taking ownership and working the problem together. At this point I could see the CTO
was losing interest in this topic. There were more important things to do.
My next stop was to brief the CEO. At the end of a long and very interactive discussion with the CEO, which included the CTO who sat quietly appearing non-committal, I summarized ‘We are not secure. And the central issue is that each technology team is saying that security is not a priority requirement for them and needs to be provided at another layer or by another team.’ The CEO’s response was lukewarm. The CEO felt that the CTO was doing enough. The recurring subtext seemed to be: ‘Yeah, we know we are highly regulated and while certain processes may not appear to be great, nothing bad has happened – ever! We’re going to be ok.’
Eventually, the company experienced a serious data breach, where vulnerable applications were exploited early in the kill chain.
The unfortunate event was not surprising. I have seen this storyline play out so many times across a variety of companies and industries. Complacency results from diffused accountability and a decision culture that discourages responsibility for risk taking across teams and the management layers of a company. It becomes difficult to encourage informed decisions and a calibrated sense of urgency in a culture that is sclerotic, overconfident, and focused on constraints rather than solutions.”
The preceding story illustrates multiple problems. Security-related roles, responsibilities, and accountabilities were unclear, and the CEO placed a low priority on security. Thus, IT, development, and executive management failed to support deploying even such a basic control as data-in-transit encryption. The last paragraph of the story explains in the head of internal audit’s own words why the company’s woes with security stemmed from a cultural problem.
4.2.2 Or Your Best Opportunity?
When security issues loom, the business’s fate may hinge on a ripple of knee-jerk reactions preprogrammed into the security culture. We’ve highlighted the possibility of failures – the things you want to avoid. Let’s also consider how a healthy security culture can help an organization avert security failures in most cases and respond well or recover quickly even from serious incidents. Is your organization ready? Do the leaders and staff really value security? Do they realize that it requires teamwork between security and business functions and what role they are to play? Do they buy into the policies they’re expected to observe and know what principles to consider when pressed to make a difficult decision?
Maybe not all that – yet. There probably is no perfect security culture out there. But there are plenty of good models that leading organizations can aspire to:
Active executive oversight: Executives aren’t just going through the motions to review a quarterly report and react only when findings or incidents are too serious to ignore. Instead, at least a chosen few are actively meeting and discussing cybersecurity with security leaders from time to time and helping the rest of the executive team and the Board exercise oversight. The CEO or another top executive works with the security leadership to understand and prioritize the business impact of security risks and projects.
Coordinated management: A cross-functional cybersecurity coordination group (such as a security steering committee at larger businesses) is in place. It is sponsored from the executive level, and the committee chair dedicates quality time to it. Although not every security issue bubbles up to the group, those that do to get resolved through principles-based deliberation, as much as possible to the benefit of both business and security.
Engaged stakeholders: Business and security leaders or staff perform their security and risk management roles – such as data owner, data steward, risk owner – with the right mix of empowerment and control. A network of informal partnerships between security and business functions complements the official organizational structures and processes.
Supportive workforce: End users are aware of the awareness program and often apply its advice or training to their work and personal computing activities. They tend to understand that security rules and policies are there to protect the business and themselves. They appreciate the security department’s efforts to “make the secure way the easy way” through tools such as password managers and mobile device management. They often report suspicious emails or other indicators of compromise to the security team.
Secure IT users: Business and security staff are aware of cybersecurity risks impacting their job function, make few errors, and practice secure behaviors they have been trained for, such as configuring strong passwords, locking workstations when away from the desk, and shutting down or disconnecting workstations immediately if suspecting malware.
Stable and motivated security organization: The security leaders and team(s) are with the business for the long haul. They share the business’s general goals and values and cultivate partnerships with counterparts at the business level. They work closely with IT and developers to build in security solutions that are often unobtrusive and generally complementary to other business goals. They act like coaches rather than cops.
Bottom line: Businesses can create a security culture that is hospitable to positive models and outcomes like these by establishing and aligning effective security governance, user awareness and training programs, and a process to continuously measure and improve the security culture itself.
4.2.3 Attributes of Security Culture
Earlier, we defined security culture as an organization or group’s amalgamation of perceptions about and behavior toward its own IT and security systems, security policies, and operational or social security practices and projects.
Figure 4-1 illustrates the interrelationship of perceptions and behavior with other security culture components as described in the report “Security Culture 2018: Measure to Improve.”Footnote 6 Observe that in a security culture, attitudes, norms, cognition, and communication shape perception and behavior. Group perceptions and behavior create better or worse security outcomes. Each component of culture can be measured and has complex interactions with the other components.
Observe how the inputs and impacts (or outputs) of security culture form a feedback loop in Figure 4-1. The book “CISO Soft Skills” (discussed in Chapter 2) analyzes the security program and security culture using system theory. In the authors’ model and this one, negative inputs degrade the system, producing negative outputs and a vicious circle that degrades the culture. Positive inputs and outputs do the opposite. All security cultures have a mix of positive and negative attributes and flows.
4.2.4 Security Culture Styles
Security culture in an organization is part of the larger business culture and needs to align with it. Figure 4-2 depicts various organizational culture concepts which are helpful for security leaders to understand.
General business culture can, according to the Harvard Business Review’s “The Culture Factor’s” research,Footnote 7 be understood in terms of eight distinct cultural styles that fall along two dimensions: how people interact and how they respond to change. In another model, Hofstede Insights analyzes organizational cultures along six dimensions,Footnote 8 including whether they are means oriented or goal oriented, internally or externally driven, easygoing or strict in work discipline, local vs. professional, open vs. closed, and employee oriented or work oriented. Hofstede also provides tools organizations can use to measure their cultures.
National cultures can be compared in many ways and must be considered as well as the general business culture in determining which security culture strategies and governance models (e.g., centralized, decentralized, and matrixed) will be effective. For example, organizations in a country typified by a high power distanceFootnote 9 are likely to have better results with a centralized, prescriptive leadership approach, while organizations in a country with a low power distance may align better with a decentralized or matrixed organization’s consensus- and collaboration-based processes.
In addition to national cultures, distinct occupational subcultures for executives/managers, office/administrative staff, developers, and other groups exist in almost all but the smallest organizations. Technology and IT services companies have many “white-collar” knowledge workers and developers. Health care has doctors and nurses; educational institutions have professors and teachers. Organizations in retail, manufacturing, utilities, and transportation have large numbers of “blue-collar” workers staffing factories, facilities, stores, or field operations. Government, financial services, and business services industry organizations have their own unique mixes of blue-collar and white-collar functions. The desired security cultural traits and the awareness methods to instill them may vary between these occupational subcultures, and the differences should be considered in deciding where a more prescriptive and where a more flexible and collaborative security culture strategy, governance, and communications approach would be optimal.
Some businesses – such as Chevron, Google, and Southwest AirlinesFootnote 10 – have a business culture that is clearly defined and intentionally cultivated in a consistent manner, some do not. One can look at an organization’s vision statement, or mission, to see if it calls out or implies a business culture style. If not, security leaders should look for other clues as to which of the cultural styles the organization seeks to follow.
Multinational businesses sometimes attempt to superimpose a global business culture vision over operating units in different countries; this scenario may dovetail with matrixed business, IT, and security governance (see Chapter 3). Or, local subsidiaries may be encouraged to operate with distinct national or local organizational cultures.
Other considerations: Organizational culture research doesn’t identify a perfect culture, since the efficacy of culture is relative to the goals of the organization. However, much is written about the (numerous) dysfunctional organizational cultures including one short piece from the Hofstede Insights.Footnote 11 Business leaders often identify and discuss culture issues on their own and may be in the middle of a culture change project.
Security leaders should align their definition of security, the security program, and security awareness messages with the business culture. When multinational cultures are in play, the security organization must be flexible and creative on how it aligns to them.|