Monday 6 February 2017

Flicking the switch for your security culture program

Safer Internet Day

About a week ago, I was having a chat to Jacqui Loustau at a Last Tuesday of the Month (LTOTM) event about a blog article for the AWSN to promote ‘Safer Internet Day’.  After some discussion and a few glasses of red, we landed on a topic that will resonate with many information security folks - how to actually plant the seed for security culture change.

Many security professionals are fortunate to work within great companies or with great consulting clients, so we spend a lot of time talking about the benefits of security culture, what is best practice and what our peers in the industry are achieving. In our excitement and zest for improving security culture maturity, we could be forgiven for not taking a step back and thinking about those individuals and organisations who are just starting their journey, or may not be aware there is a journey!
Being in the business of security culture means I’m regularly assessing just where our clients are on their security culture journey. Regardless of industry sector, size or turnover, Australian companies are at various stages of maturity. Some are just starting to sow the seeds and get management buy in, some have internal support but need a ‘kickstarter’ to help them plan and implement activities, and others have more mature programs that they want to continually improve. Rarely is it a question of budget or resources, but barriers such as lack of management support, time constraints or ‘where do I start?’ are the common themes.
The purpose of this article is to help provide some tips for our peers who need a helping hand. You know security culture is important, but you might be having some difficulty obtaining the necessary support to move forward. So, without further ado, here are some prime pointers for helping you get the show on the road.

  • The burning platform
Like any behavioural change initiative, you need to identify the burning platform. By that I mean, asking yourself, “the consequences of not changing are… what?” Now, many of us know what that is because we live and breathe security every day, but you need to be able to convince your sponsor, manager or whoever the decision maker is (note: he or she who is in control of the purse strings) why you need to imbed security culture within an organisation.  It’s up to you to ensure security culture has a seat at the table.  More often than not, poor security behaviours are already occurring, they just aren’t being articulated in a manner that will inspire action. Knowing the pain points and being able to articulate them will also help you define your metrics and ultimately measure the impact of the program.

  • Get buy in with data
    The proof is in the pudding. Some of our clients run phishing exercises and/or our targeted Hackability Assessments™ , such as testing physical security controls like access and tailgating. They then table these findings. Knowing that Joe Blogs pretending to be an IT contractor made their way into the building, popped their sandwich in the toaster in the common room, had a chat to the staff, and then proceeded to collect confidential information, plug access points into the network, and spend the afternoon wandering around the building, seems to raise alarm bells which in turn can translate to support from the highest level of an organisation.
  • Partner up
    Ensure you are partnering with people who have influence in the organisation and who can help you find ways to effectively build a plan and communicate the messages.  In their book “Blue Ocean Strategy,” W. Chan Kim and Renee Mauborgne suggest starting with people who have disproportionate influence in the organisation.  Once they are committed to the cause, they can help shine a spotlight on your program so others get the message too.  Influencers can also provide much needed insight into what will work and what won’t depending on an employee’s role, the channels they can access and the success of other behavioural change initiatives. The stakeholders that will have an understanding of an organisation's mechanics which include Internal Communications, HR, and Executive Assistants (the latter who are also influential amongst the C-Suite).
  • Don’t reinvent the wheel
    Look for ways to align and leverage existing forums, champions or activities. This can help ensure the message sticks. Opportunities include the quarterly staff roadshow or Town Hall, Lunch and Learn series, Risk or Change Champions network or other activities where there is already a captive audience. Then find ways to incorporate your message.  People will thank you for being respectful of their time and existing commitments if you leverage activities and events that are underway. These forums are also a great way to connect to more arms and legs in the organisation, especially if you have limited resources for your program.
  • Show me the money
    Find out how much money is being spent on technology vs security culture and change.  I’m often surprised to learn when companies are spending millions of dollars on technology but seem reluctant to support a security culture program.  ZDNet released
    this list of the biggest hacks and security breaches from 2016 and upon closer inspection they are all caused by the human factor, whether it was user error, poor coding, or poor security behaviours. Industry relevant case studies and media coverage can help communicate where things can/have gone wrong and help your business case for funding.
  • Celebrate your wins
    Share stories about individuals or teams that demonstrate positive security culture behaviour and reward them. If someone has reported an incident or highlighted a risk, give them a virtual high five on Yammer or leave them a personalised desk note from the Cyber Security team thanking them for their efforts.
  • Flicking the switch
    Thinking securely isn’t about recalling a set of security related facts.  It is about viewing the world in a particular way and flicking the security mindset ‘switch’. Ask staff what they want to see in a security culture program. We find focusing on the personal impacts of security such as social media, cyber bullying, online fraud, is a good way to grab attention. You can then tailor the message and link to what security culture behaviours you want to see imbedded in the workplace. Try and make it fun, whether that is by sharing quirky YouTube videos about security incidents or creating a cyber security mascot with some catchy slogans.  Stories are also a great way to engage people in a topic they may not necessarily feel interested in.  And please, no pictures of padlocks, fish or masked hackers.
    J  For more advice, read the simple tips from businesses with security culture programs  here

Finally, remember that building a security culture won’t happen overnight. You will need patience and persistence to drive behavioural change. Sowing the seeds for a secure culture is about engaging with the right people, getting their support, and committing to a plan. The SIT community joined forces yesterday to #AskOutLoud around Australia for Safer Internet Day and to help put security culture on the radar. It’s now up to all of us to keep this momentum going.

Melissa Misuraca is Co - Founder and Principal - Security Culture, at Enex Carbon.

 This post has been created by Melissa Misuraca on behalf of AWSN. 

(c) AWSN 2016


  1. Thank you very much,this is an excellent article. However I was wondering what if I am not part of an organisation,how do I go about sowing seeds of culture change in different organisations 🤔

  2. Ayebare Kagina (Manzi) How about helping a not for profit with their initiatives or joining a student mentoring group? Some countries also run competitions where citizens can contribute ideas for Government security awareness campaigns. Finally, you could consider becoming a freelance consultant and on