A compliance-based security culture tells people what to do and not do.
A security leadership culture engages with people on why security matters to them personally, and to the organisation, and then continuously models what to do, when, where and how to do it, so that good behaviour begins to permeate the organisation both vertically and laterally. It also empowers people to pro-actively challenge bad behaviour without reprisal and enables them to exercise greater agency in decision making.
‘That sounds amazing, how do we achieve this?’ I hear you ask.
Firstly, context is key; imagine working in a benign office environment, and employee Joe “jumps down your throat” every time you move two feet away from your unlocked computer terminal – that’s a ticking timebomb in terms of workplace culture. The fact is, not every workplace needs to be a high security environment; it all depends on the risk context.
This is where security risk assessment comes in, to establish the context, understand the criticality of the assets you’re working with, and assess the level threat posed to your organisation, so that an appropriately risk-based security culture strategy can be developed.
To move an organisation towards good security behaviour, following the security risk assessment, a clear strategy including intended outcomes, workstreams and milestones should be developed. Be sure to identify potential hurdles before they arise, and plan effective mitigation strategies.
Perhaps the most critical elements of your security culture strategy are leadership and education.
Who is going to champion the proposed changes, and how will the messages be reinforced?
Everett Rogers’ theory of Diffusion of Innovations is one useful tool that can be adapted for understanding and planning how to effect change across large organisations.
All too often, organisations spend tens of thousands of dollars having strategies developed, only to fail to have identified and defined the root causes of their problems, and consequently fail to implement the desired changes, especially when nobody takes change leadership responsibility and enlists the help of other organisational influencers.
To effect and maintain positive change requires genuine commitment, substantial effort and material resources.