We often hear people are the weakest link when it comes to cyber security. However, with a strong security and risk culture within an organisation, people can be strongest link.
Think about the one astute employee who reports a phishing email (and it only takes one), which helps their organisation thwart an entire phishing campaign. Now, I don’t want to simplify security and risk culture to just knowing how to deal with phishing emails…that wouldn’t do it justice.
I define culture as how people behave when nobody is looking. It’s about the decisions and actions they take when faced with security or risk issues. Do they recognise issues and step over them, or do they stop and do something about them? Are risk processes established within the entire organisation and are these passionately supported, or are they broadly ignored or met with pushback?
Establishing a security and risk culture is a subset of the broader organisational culture and there needs to be a clear line of sight back to this. Good security and risk management empowers an organisation to achieve their strategic objectives by making sure the organisation operates in a safe and sound manner. A good security and risk culture needs to be embedded so the organisation can succeed, without incurring undue risk or being stifled.
So, what does a security and risk culture look like? I am sure there are multiple opinions on this and I may miss a few things, but this should put some shape around it.
Proactive identification of risks.
Train and educate staff on how to self-identify risks and provide a mechanism to report these. Make sure they can proactively identify and make them visible, rather than ignore them or wait for risk or audit teams to identify them. The level of self-identification of risk and active management of this by operational staff on the front line is key to a strong risk culture.
Strong risk governance.
This is about how identified risks are treated, discussed and debated at the right levels within the organisation. Those who are best placed to make the key decisions around risk acceptance or treatment must do so. Making this visible across the organisation is another key indicator of the risk culture. Continual review of the risk and controls governance process and framework is imperative.
Risk trending and monitoring.
Leading on from the governance process is tracking how risks are being managed and what progress is being made. Are we seeing self-identified risks grow faster than we are closing them? Are we closing the risks in a timely way and in the right priority order? Is this actively tracked and monitored and are there escalation processes in place that drive the right activity with the appropriate urgency?
Security and control processes.
Across all technology and operational processes, whether this is application development, technology infrastructure management and critical business processes, there needs to be risks identified and controls in place to manage these. These controls must be regularly assured to determine that they are designed adequately, operating effectively and is there completeness (coverage) across the entire environment.
Consequence management.
How are people held accountable for their actions or negligence? The organisation must act against those who do not behave as expected. Failure to act will undermine efforts to build the culture and sets the expectations of how people are to behave and what the outcome will be if not supported.
Reward and encouragement.
We just don’t want to use a stick (consequence management). We want to foster a culture where good behaviours are recognised and rewarded. Role modelling and war stories can be used to help highlight and encourage the expected behaviours. This not only helps build the risk culture, but it will also increase the engagement of staff more broadly. Furthermore, this should be built into the performance objectives with Key Performance Indicators defined.
There are four steps that can be taken to build the right culture:
1. Define the target state:
Define the values employees need to live up to meet the target state. Have the desired culture translated into pragmatic, easily understood descriptions of what is expected. Link this back to the organisation’s strategic objectives. For example, a strategic objective might be to provide an exceptional customer experience. To do this, the security and privacy of the customer is paramount, and the trust of customer must be maintained. The employee values and behaviours needed to support this can be relatively easily defined.
2. Exercise a point in time assessment:
It is important to understand the current state of how things are done and how employees behave. There needs to be a comprehensive and in-depth understanding of the culture at all levels of the organisation to identify sub-cultures that may exist.
3. Establish metrics for culture to provide tangible evidence of cultural change:
Metric selection should focus on governance as an agent for change, sub-culture changes, culture as well as conduct.
4. Define a culture change plan to achieve the desired state:
This should include a clear path, concrete actions and sustained efforts, leadership ownership and organisation wide engagement.
Driving culture change is an iterative process and it needs to be sustained over time. Organisations need to be committed to this over the long term and they must provide a mechanism for feedback along the journey. This can’t be a command-and-control approach – you need to win the hearts and minds of staff and have them engaged and feeling like they are part of shaping this change.
Culture objectives must support the strategic objectives of the company and take into consideration the risk appetite of the organisation. There needs to be a balance between being too conservative and not being conservative enough. There needs to be a healthy tension between risk takers and business leaders and healthy debate and challenge with mutual respect. The culture should not be one of avoiding risk at all costs nor should it be one of excessive risk taking. The objectives will vary from organisation to organisation and will continue to evolve within each organisation over time.
