In celebration of Week 2 of National Cyber Security Awareness Month (NCSAM) – surprise! Another blog!
In the wild we see culture. The fierce predator, the T-Rex of an organisation. It moves swiftly and silently devouring all in its path.
Strategy is its favourite dish, chomping down large chunks of strategy and washing it down with the tears of shareholders.
Security is also a delicacy that culture enjoys as a Sunday roast.
In the aftermath of a security incident or breach, many experts focus on the people, process, and technology side of the equation. Did the people have the right skills, were the right processes in place, and did they invest in the right technology that would have stopped the attack.
While these are good and important questions to ask, culture underscores each aspect. A brittle culture can doom even the greatest of security strategies.
The reality is that culture is more efficient than strategy. People don’t go above and beyond the call of duty because something is written in a policy. They do it because they believe the company, their colleagues, and peers would do the same for them.
In this regard, culture provides greater discipline than disciplinary action does. If a company has a culture of aspiring to be environmentally-friendly, it doesn’t need a policy to tell people to separate their rubbish into the relevant bins; co-workers will take care of that. Similarly, when a company has a strong security culture, co-workers will help take care of any issues that need addressing, such as leaving workstations unlocked, sharing passwords, or forgetting sensitive documents on the printer.
Building a security culture from the ground up is akin to the Broken Windows Theory popularised by James Q. Wilson and George L. Kelling, where they advocated reducing large crimes by stopping smaller crimes. The authors claim that a broken window left for several days in a neighbourhood would trigger more vandalism. The small defect signals a lack of care and attention on the property, which in turn implies that crime will go unpunished. This theory was used to fight vandalism on the New York Subway - arguing that cleaning up graffiti on trains would prevent further vandalism.
Perhaps one of the biggest strengths of having a strong security culture is that there isn’t the desire to find scapegoats. When a security breach occurs, firing the CISO, or blaming individuals won’t undo the breach.
Taking a measured approach to understand what went wrong, and finding ways to fix it will build business resilience. It reinforces the fact that security will never be one hundred percent perfect, and there will be tough times that the organisation will overcome together.
This creates the difference between staff coming to the defence of their company during a crisis, as opposed to joining in the attack.
The security culture extends beyond the corporate environment though, and can be seen in the peoples personal lives. This is very much needed. When we look at the amount of information that people have online, it is important to foster an extended culture of security within the home. Making family members aware of online dangers and how to navigate them is sometimes more important than corporate data.
But to be effective in the long run, good security needs to be observable. Otherwise it is just as easy to slip into bad practises. A study conducted by Gino, Ayal and Ariely demonstrated the connection between cheating and the impact of it on others.
Participants were asked to solve twenty simple maths questions for fifty cents per correct answer. The participants were to check their own answers and then shred the answer sheet, leaving no evidence of any potential cheating. The result demonstrated that participants solved on average five more problems compared to the condition where cheating was not possible.
The researchers then introduced a fake student who was asked to raise his hand shortly after the experiment began and proclaim that he had solved all the problems. Other participants were aware it was impossible to do so in a few minutes, but the judge did not object and asked the student to shred their answer sheet and take the money.
Interestingly, other participants’ behaviour adapted - reporting to have solved on average, eight more problems in comparison to the condition where cheating wasn’t possible.
Security culture isn’t something that can be built overnight. Changing peoples behaviours is a slow process, and needs to be worked on continuously. However, the payoff is worth it. Building a security culture provides a level of risk prevention that cannot be attained with strategy alone.