What does the word “culture” mean to you? When I think of culture I think of it as something that encompasses an entire society of people, not just a subset; so a security culture should consist of everyone within the scope of a security domain – whether that’s an organisation, group, location or other defined range.
That said, your scope will likely include groups with different requirements, different ways of working, or just people who have no interest. Your job, as a proponent of security culture, is to understand these differences and work with and around them to make sure everyone who needs to be is included – to the right degree. Not everyone can be an artist but most can appreciate a good painting.
Here’s an example of what I mean. What’s your answer to these questions:
- Who uses your corporate data?
- Who decides how important (or unimportant) every piece of information is?
- Who decides what protection each piece of information is given?
Did you answer “everyone” to the first? That’s good.
So hopefully you answered “those who know the most about it” to the second and third. You did? Great. While security affects everyone in the organisation as we all potentially use what needs to be protected, and so we all have a stake in ensuring that protection isn’t breached, not everyone needs to be involved in all decisions: those who have the clearest idea of the value, sensitivity and importance of the information are likely to be those who handle it on a daily basis; they need to be consulted.
You didn’t? Not so good. Maybe you said the IT manager, data manager or their teams made those decisions; ask yourself are they the right people and are they the only people involved? While they may have the clearest idea of the security controls that can be applied can they state what data needs which controls? The danger is data with low sensitivity receives protection at a level out of proportion – which leads to inability to use the data effectively – and data with a high sensitivity isn’t recognised as such. Unless the data users are engaged with the process they will see security as someone else’s job and not worry about potential data leaks and breaches.
Security culture, to me, involves everyone in some way according to their roles, strengths and potential input; just like those who paint and those who can’t paint but go to a gallery, own a gallery, read about painting, or are involved in some other way. Let’s move security away from its traditional home within the IT department, invite all to contribute wherever they can and build a security culture together.
- Subjective Metrics - 05/04/2016
- Culture includes both the artist and their audience - 13/01/2016