Taking into consideration the Oxford Dictionary definition of culture, we may define security culture as "behavior, thoughts and practices that impact security in a positive or negative way, and that are common for a group of people or an organization.”
The culture part of that definition is about people - their behavior, thoughts and practices. The security side of the definition is how said behavior impact the security - positively or negatively. Your organisation’s risk matrix and risk acceptance level will help you determine to what extent your current security culture is good or bad.
After working on establishing security culture in organizations around the world, I have found that there are three vital parts / prerequisites needed for creating and maintaining good security culture.
The first part of the puzzle is technology. In order to create security culture, you need security technology. This includes all the basics like firewalls, antivirus, VPNs, access management and so forth. Equally important is to remember that the technology should be supporting the employees in doing their jobs - which means there will be trade-offs between security and usability. Another important point about technology is that it should support and enforce the next part of the puzzle: your policies and regulations.
These are all the rules you put in place - either by writing them down or by sharing them orally - to set up the boundaries of acceptable actions your users can and should perform. One thing to keep in mind is that policies are worthless if they come without incentives. If there is no defined and explained reason to adhere to the rule, the possibility that people won’t do it is great. Also, the policies should be clear and make sense to everyone that has to follow them.
As noted above, technology can and should be used to enforce the policies. By that I do not mean that you should use technology to spy on your employees so you can catch them doing something wrong. What I mean is that technology should be implemented in such a way that it helps the user get the policies right, and that it makes it easier to adhere to the policies than not to.
Take password policies for example. You write them down, distribute the text, and then you expect people to change passwords every X day. We both know that very few do so, unless you also implement reminders before the due time, and lock users out if the haven’t changed the password and until they do so. Try to use technology to enhance your policies just like you do with passwords. It makes it easier for the user to follow the rules, and it also makes your job easier.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.