The greatest threat to an organisation’s security is often said to be its people. However, they can also be a positive source of security robustness depending on the organisation’s ability to build a good security culture.
The Norwegian National Security Authority (NSM) defines security culture as «the accumulated knowledge, motivation, attitudes and behaviour of the employees, which is expressed through the organisation’s overall security behaviour».
Every organisation already has a security culture. Is it a good or a bad culture? If you by any chance feel that there is room for improvement, then keep reading. The following article will discuss the practitioners view on how to further develop or even change a security culture.
C for Competency
My first recommendation is to enhance the overall security competency throughout the organisation. The size and complexity of the organisation define what minimum level of knowledge is required at each level.
Some things ought to be rudimentary though. All levels of the business – down to the individual employee - should have a fundamental understanding of what security requirements, risks and responsibilities the organisation faces, what strategies have been formulated to meet these and what responsibilities are distributed throughout the organisation.
Unfortunately, this knowledge is often limited or flat out missing because the work is far too often outsourced to external consultants. I will go as far as saying that excessive use of external consultants has damaged the security culture in many organisations. (At this point I feel compelled to mention that One Voice, among other things, actually make a living being consultants, but nevertheless…)
The consultant may be an enabler, a sparring partner and available expertise, but the work itself must be defined and executed by the organisation. People who know why they do things also understand why it is important to do them correctly. An employee who understands the challenges and how he or she can contribute to the solution will take ownership and be a cultural pioneer, a security ambassador.
U for Uncomplicated
«We have people for that!» has for many years been a reoccurring theme in an organisation’s security management. Security work has been associated with armoured cars, locked fences and big uniformed guys with mean looks and bad attitudes. Therefore - let us make it uncomplicated! Security work is quality work in practice. We do «secure business, not business security», in other words, «everyday security».
A very recognisable example of this everyday security thinking is a parent’s instruction when teaching a child to cross the road: «Look to your right and to your left, if a car is approaching then stop and wait until the car has either stopped or passed». What the child actually is taught is how to assess if there is a risk (look to your right and to your left), identify a risk (car equals danger) and implement necessary measures to mitigate the risk (stop and wait).
This shows that from an early age we are used to thinking about risks and security. Something related to our daily lives quickly become harmless and makes it evident that security is part of all aspects of our life, including our work where we are all part of the security organisation.
L for Liability
This leads me directly to the liability. If we are all part of the security organisation, then we are also all liable if anything goes wrong.
The Norwegian national societal security and preparedness work is based on the principles of Responsibility, Similarity, Proximity, and last but not least, Collaboration, which was added after the 22nd of July terror attacks at Utøya and in Oslo. A direct consequence of criticism for the lack of collaboration between the organisations involved in the rescue work.
In my view these principles are directly transferrable to any level of organisation in any country; for the best possible outcome, security and preparedness should be handled at the lowest possible level, by the same people that have the responsibility for the affected area on a daily basis and with collaboration throughout the organisation.
Even if senior management is overall responsible for the security work, the department managers are responsible for the handling of security within their department, the team leaders within their teams and basically each and every member of the organisation within their own area of responsibility.
Everyone has an independent responsibility, and we have to challenge each other on this. We have to place the liability where it belongs.
T for Training
I will turn to a quote attributed to Aristotle: "We are what we repeatedly do. Excellence, then, is not an act, but a habit“.
I believe in regular, small drips rather than the occasional monsoon rain. All though full-scale security exercises also have their purpose, it is the constant inputs, the regularity of training and exercises that matter when it comes to building habits.
Desktop exercises, scenario training and alert tests are all examples of flexible and scalable types of exercises that can be part of the regular training of an organisation, preferably at department, unit or team levels.
We also tend to forget that the handling of incidents is training in itself. It doesn’t get more realistic than “the real thing”. The important thing is to do a proper evaluation after, one that is planned and have specific checkpoints that allow us to identify strengths and weaknesses, measure progress and increase the sense of capability.
U for Usability
If things are too cumbersome, people will find ways of simplifying to make tasks easier. In this respect, humans are fairly simple. Big, clunky ring binders with dusty plans, locked in the security manager's office, will never be used. «Procedures from hell» will never be followed.
We should describe what we actually do and throw out the empty phrases and the fancy words. Keep it simple!
Again, this makes it important to emphasise that security-related plans and procedures (P&Ps) needs to be developed by, or in cooperation with, the people who will execute them. They understand the context in which the P&Ps will work. By being in charge of developing the necessary P&Ps, they also gain ownership to their part of the security work.
R for Reliability
The security rules and regulations of the organisation must also be reliable and documented. They cannot be based on oral communication and customary ways of doing things. Everyone interprets what they hear differently, and there is no way to go back and check the facts if the rules are not documented.
The need for reliability also extends to the consequences of security breaches. Without this, any organisation will have problems proving the liability of an employee and can be left with an unenforceable breach.
Finally, there should be no doubt that the consequences will be enforced! Empty threats have a tendency to undermine any kind of authority.
E for Equality
And last, but not least: the rules and the consequences have to be the same for the prince and the pauper! There are some leaders who grant themselves spacious exemptions from the same security rules they expect their employees to follow. The leader must follow the rules to the last letter to be a visible bearer of security culture. It also has to be clear, and if necessary demonstrated, that any breaches involving a leader also is handled and reported according to the same protocol used when any other employee make the same mistake.
The leader also poses a bigger risk when he/she bypasses security rules because of elevated privileges and extensive accesses to systems. Being the face of the organisation also entails a higher level of exposure which makes him/her an attractive target . An attacker will always go for the weakest link and a leader not following the security rules would be the obvious one.
The observant reader has probably discovered my “clever” use of the word C-U-L-T-U-R-E. The gimmick aside - I hope you have understood my main point: building a security culture is all about people, not systems and technology.