Monday, November 10, 2014

4 Key Concepts for Enhancing Organizational Security Culture



image source: http://welivesecurity.com
We have previously discussed Ways to Sell Security Expenses to Business Executives, but what about users? It is increasingly difficult to persuade the actual users of information systems to buy into cybersecurity concepts, but they are the cornerstone of the entire initiative. According to a recent article at DefenseNews.com, the biggest concern for security professionals is the lack of good security hygiene practices by users. This problem is better defined as the misuse of information systems or organizational information resources. The next issue that scares experts is the frequency of infiltration or data leaks directly carried out by phishing attacks and malware.

Cybersecurity Awareness Training: Make it Relevant

The first line of defense for these threats in most organizations is the implementation of Information Security Awareness Training. This is usually an annual in-person or online training program that is required for continued use of information systems. In other words, if they don’t attend the training, they lose their accounts. A quick Google search provides a laundry list of free examples and resources for the folks in the security department who want to put a “check in the block” for their organization. The problem with these “cookie cutter” training programs is that they do not directly address the security concerns of highest priority in the organization. The global cybersecurity landscape changes almost daily and a successful security awareness program is one that shifts direction with these changes. I have seen several organizations that use the same PowerPoint slideshow and/or questionnaire for several years, which gets monotonous to the users and has a direct negative impact on the cybersecurity culture.

I don’t want to get too in-depth on awareness training examples that could influence users to actually care, but perhaps you can provide some examples that have been influential in your organization in the “comments” section below.

Take Home Security, not Work Stress

Last May, I shared A Case for Employer-Provided Security, in which I expressed an idea of organizations providing anti-virus software and training to users for their home systems and networks. This not only shows profound management support of cybersecurity and the users, but gives employees a resource for protecting their families. I have three daughters, and their security on the internet is a very large concern of mine. If my employer provided classes on securing my systems and wireless network(s) at home, I would be in the front row taking notes.

I, like most of you, do a portion of my work at home. Most of the time this only involves writing a white paper, answering emails, or preparing presentations – none of which require my work system or VPN access into the network. It is very beneficial to my organization that my systems and networks at home are secure.

Organizational Security Policy

One of the most overarching and concrete methods for showing management support of the cybersecurity program is through the use of an Organizational Security Policy. This policy is one that often only identifies the roles of cybersecurity managers and departments in the organization, along with extremely surface level statements by executive management that pertain the mission of the security program.

If your organization doesn’t have an Organizational Security Policy, look again. It might just be hiding in the background, not being used to the extent of its purpose. If you still can’t find it, you need to do something about that.

Security to Support the Mission

Last month, I tried to influence security professionals to shift their focus and mindset to Support the Mission and Get Away from “ExplicitDeny”. One of the biggest complaints by users is that the security department seems to only exist to decrease productivity and their ability to do their job. By leveraging new technology and finding ways to make it secure, as opposed to automatically saying “no” out of fear or laziness. After all, the purpose of cybersecurity is not to deny progress, but to reduce system, network, and data risk to an acceptable level.

Solicitation for Comments

If any of you have any additional tips for improving the cybersecurity culture in our organizations, please do not hesitate to provide them in the “comments” section below. We are all a part of this community and the more we can help each other, but better we (and our organizations) will be.

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.