How to Create a Strong Information Security Aware Culture?
How to Create a Strong Information Security Aware Culture?
Everyone understands the importance of information security these days. No one wants to have vulnerabilities or be susceptible to a data breach, and yet they happen. Most articles describing how best to avoid an attack will talk about how your people are often the root cause. This is true, with statistics showing that most successful attacks are inadvertently caused by human error. Most CTOs I talk to agree that creating an information security aware culture is the best prevention.
What is an Information Security Aware Culture?
Before I talk about how to create an information security aware culture, I should start by explaining what I mean by this. So, what is an information security aware culture? The answer is simple – it is an organizational environment in which information security is first and foremost in everyone’s minds. It is an environment in which information security is always a paramount consideration when designing operational processes, building software products, delivering services – it is simply part of everyday business life.
8 Step Plan: How to Create an Information Security Aware Culture?
No one can absolutely guarantee that malicious actors will never gain access to data or systems, but by following the steps below you will be taking all reasonable steps to avoid this from happening.
1. Information security awareness starts at the top.
Information security is not just an IT thing. It is not just something to be driven by your Information Security team - if you even have one in your company. The message that information security is paramount must come from your CEO and your senior management team. An information security awareness and focus should then permeate through every role and to all levels within your organisation. Even the cleaner has a role to play. I was recently talking to a fellow CTO who was explaining how their cleaner had removed what they thought was rubbish, only to find that some highly confidential designs were now somewhere to be found at the public refuse centre!
Ideally you should nominate one or more of your executive management team to be responsible for information security. In our organisation both myself as the CTO, and the COO are jointly responsible for information security. Having this senior management buy in is vital to successfully building an information security aware culture.
2. Set objectives relating to information security.
Once everyone, from the CEO to the office junior, is aware of the importance of information security, we need to articulate what you mean by ‘treating information security as important’. At our organisation we have a set of ten objectives which we hope to achieve by having an information security aware culture. These are not business objectives they are specific information security objectives. Examples would include targets for how often we run internal audits, how often we run information security training, etc. These objectives should cover your entire organisation, not just your technology team.
3. Make information security behaviours relevant to everyone.
I have found that by far the most effective way of ensuring everyone follows information security best practices is to explain exactly what we need people to do in every job function. There is little point asking the office junior to ensure data is encrypted to AES 512 standards or asking the CEO to rotate security keys every month. When explaining what you expect from each person in the organization then you need to communicate in a way that they will understand. You need to make it resonate with them and it must be tailored to meet their level of technical understanding.
We have a set of information security procedures that explain how certain key tasks should be performed. For example, we have a user guide explaining how to use an encryption app before transmitting sensitive information. We have an employee handbook describing how to store and change passwords. The key is to avoid technical jargon.
4. Provide information security training.
Information security awareness and training starts before someone joins our organisation. We circulate easy to understand guidelines before new joiners receive their passwords, etc. Day one on the job is partially spent explaining how seriously we take information security and ensuring new starters understand the information security handbook. We also provide job specific training. For example, developers are taught how to protect and secure source code, sales representatives are shown how to protect customer details. We maintain a training record for each employee and provide regular ‘lunch and learn’ information security knowledge boosters. If you want everyone in your organisation to maintain the highest levels of security awareness, then you have to invest in information security training.
5. Make it measurable.
We’ve spoken about setting clear expectations that are relevant to every level in your organisation. We’ve explained the need to provide ongoing information security training. The next step is to ensure that you can measure the extent to which your information security controls are both effective and being followed. We find the key is to automate data collection and reporting wherever possible. Some measures are easy to obtain and objective, e.g.,
“Servers must be patched monthly”. Others are slightly harder to obtain and require a slightly more subjective discussion, e.g., “Information security must be reviewed when delivering every new product increment”.
6. Regularly check people are doing what you expect.
Running internal audits is an important aspect of building an information security aware culture. If you have clear objectives, you have clearly articulated what you want people to do, you have made it measurable, then running internal audits should be very straight forward.
The mindset with which you perform these internal audits is vital. If you run audits with the mindset of denigrating people who do not follow your guidelines, then you will not succeed in building a strong information security aware culture. If you run the audit with the goal of identifying information security training needs, provide that training and encourage those who did not follow your information security best practice, then over time this will contribute to building a much stronger information security culture.
7. Punish repeat offenders!
In my last point I advocated focusing on information security training needs and encouraging your team to follow information security best practices. This is most definitely the best way to build a positive culture, however there will be some who continually fail to conform, even after encouragement and training. You hope and expect these are the vast minority, but you do need to have consequences ready for those who do not learn. These consequences can take many forms, and in the worst case you need to be ready to omit serious, repeat offenders from your organisation.
8. Keep going.
Creating any form of culture is a time-consuming exercise. It can take many months to create a strong information security aware culture. Be ready for the long haul and ensure that the top-down, positive reinforcement of the need to follow information security best practice continues and does not tail off over time. I have seen many organisations start information security best practice initiatives, only for work pressures or budgets to mean that the initiative wanes over time and eventually become a thing of the past. If you are serious about information security, then you need to be in this for the long haul.
Commit to building an Information Security Culture
Creating a strong information security aware culture is not easy. Many organisations try but ultimately fail in their goal. In my experience the only organisations that succeed are the ones who truly put information security at the heart of their everyday life and who have total commitment from the senior executives.