Security Awareness Series: Part Four – Leveraging Corporate Culture
August 5, 2010Want to create a culture of security? Don’t bother.
If there is one overused phrase when it comes to defining the aims of a security awareness program, it is ‘create a culture of security’. Not only is this phrase a cliche, but it is misguided, demonstrates naivety on the part of a security professional, and how are you going to measure it anyway?
People in the security industry are by and large clever and resourceful. But we’re not organisational culture change experts. If you think you are, then take a look at the Wikipedia entry for Organizational Culture. It’s 14 pages long when printed. Check out your city library for books on the subject. You might be surprised at just what a large and diverse topic it is.
So anyone who thinks a few posters and a couple of compulsory lectures a year is going to ‘create a culture of security’ then they should think again. Leave culture creation to the experts, the HR strategists and the Organisational Change Managers.
But all is not lost. In fact now that you are freed from that impossible task you can work with what you’ve got.
A culturally specific awareness poster? Click to see a larger version.
Your organisation already has a culture, and believe it or not security already fits in there somewhere. What you need to do is leverage that culture. Find out what it is and use it’s own weight against it. It’s a bit like judo except here we are not trying to subdue an opponent, we want to direct it’s own institutionalised culture to do our bidding.
What do I mean? Okay lets do this in two parts.
First, to make you feel comfortable, go back to first principles. Confidentiality, integrity and availability. The CIA triad. Every security professional knows these. What you need to do is recognise which one is most important to your organisation. Of course they all have their place but if you really think about it one of them will be foremost in the minds of the majority of your colleagues whether they understand it or not.
This is really important. If there are strings to pull then these are the sticks they’re tied to (assuming that whole string pulling metaphor is about marionettes). If an organisation is a profit driven, customer focused beast then availability is probably the biggest concern – the CRM system needs to be available 24/7. In a clinical environment, information integrity will be the most important – doctors need to know the information they’re using is accurate (someone pulled me up on this once and said the main concern for doctors would be privacy but frankly I think any doctor would rather have a live patient with privacy issues than a dead one nobody knew about, medical misadventures excluded).
So knowing which part of the triad is highest in the order of things helps, but it is only half of the story. The other cultural factor to consider is more about traditional organisational culture. Take a look at that Wikipedia article to get a sense of the various cultures that might exist. There are loads of models. But here is where your own knowledge of your organisation built up through experience counts.
You might identify your organisation as young, edgy, high tech, and commercially focused. Or maybe it’s solid, conservative, and process driven. What’s most important, protecting customers privacy or protecting the bottom line? And why? Are professional reputations at stake, or jobs, money or even some higher, altruistic purpose? Recognise though that it’s never just about compliance (or shouldn’t be).
These are the cultural aspects to think about. Combined with the security goal (from the CIA triad) you will start to get an idea of what motivates your organisation.
Now for the good news. Your co-workers have already been indoctrinated… so roll with it, not against it. If you’re lucky there might already be a strong understanding of the need for security. Whatever the case, your task is to show people how good security is going to make it easier for them to do a good job, and for their organisation to thrive.
Still don’t get it?
Okay, to spell out some hypothetical examples:
“Doctors and nurses – Scan your USB sticks because they can carry viruses which can bring down clinical systems, which could impact your patients’ health”
“Sales people – password protect your smartphones. Losing your phone could mean losing your customers and your commission”
“Politicians – Protect the passwords to your social networking tools. Your words could be someone else’s.”
You wouldn’t use these messages ‘as is’ of course. You’d tailor the language, graphics etc to suit your organisation. But hopefully you are starting to see it’s all about leveraging the existing culture, not trying to create a new one.
Good words, and a sound theory. Unfortunately, like many organizations, my company is extremely diverse. Everyone from marketing to linemen to billing specialists to power plant operators… and the most challenging, IT and telecommunications people in my own department! Do I need to develop separate awareness programs for each area? In the 5 years that I have been heading up our awareness effort, I have learned that too much information is like an off switch for a person’s brain – so I wouldn’t want to include all of the information for every area. On the other hand, going with the lowest common denominator sounds like we are “dumbing-it-down” to some people who expect more in depth information. I like the idea of using our culture, but I’m open to ideas how to carry it off in our situation.
Thanks for the comments Heather.
With regards to carrying it off in “your situation” have you spoken with your HR or L&D divisions? They should have a good idea of what motivates your colleagues in general.
It may be that you do have to have some different messages for broad sections of your organisation. The best learning is achieved when learners are motivated to seek it out themselves. A general awareness campaign could be used to catch peoples attention (e.g. an enticing poster or an advert in a corporate newsletter) and then when they follow it up that’s when you could direct them to the information that is relevant to their role.
I did this recently with an encryption campaign. An eye catching poster directed everyone to our site where there was some basic info on encryption requirements for portable media. Then there was a ‘presentation’ made with Flash titled Encryption 101 that was strictly for geeks. It explained concepts like public/private keys and Vigenere ciphers. I had a lot of feedback from the IT crowd who were drawn to it.
On the other hand, who says every awareness campaign has to target the entire organisation? If you run short regular campaigns then you can target different areas each month with information relevant to their needs.