Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

My organization?

Spread the love

Daniel Andersson

Information Security Advisor and Consultant at CAPSAB
Daniel is a senior security manager in the banking and card industry; he has worked with PCI DSS since 2005. Daniel has a broad experience regarding implementation of PCI DSS.

Daniel also has an IT engineering background working with a broad selection of platforms and communication equipment.

Daniel is ISACA Certified Information Security Manager (CISM) and PCI Professional (PCIP) and certified Security Culture Practitioner.

Latest posts by Daniel Andersson (see all)

The head hunter and human resources workforce

My organization, what do they know about security that may help me? You may ask when first learning about the Security Culture Framework in the organization module. As the expert at information security you are sure about that you have all the skills needed to educate your organization in how they shall adapt to the security rules that you have approved, and maybe also written most of.

And it is often here a normal awareness program start to fail, when a single person shall try to be expert in both the topic but also in how to deliver training and information adapted to how other best understand and learn the subject. And in this case a topic where you as the security manager / expert has been working a long time in the field and spent a lot of time creating and reviewing the material that shall be learned by others during 30-60 minutes.

To be honest, creating the security policy / procedures can be a hard task, but what is even more challenging is to ensure that all employees do follow the procedures and has the right level of knowledge to understand why they need to follow the procedures.

To create an optimal education package that targets your mixed audience you do need to partner up with a project manager, a training expert, a marketing expert and representatives from different business units. Most important is also to ensure that you have C-level management commitment for rolling out the program including a sound budget.

So you may ask, where shall I look for these experts? In larger organization the HR department often is responsible for training and do have in-house or hired experts to tailor education packages for internal usage, they do also have experience in what form of education works best with different groups, is it live sessions, e-training or other methods? As for a marketing expert you will find this in the sales and/or marketing department, your security policy shall be seen as a product that you would like people to know all about and the marketing gurus are able to create this hype.

The representatives from different departments will help you understand how the message will be received and also tailor the training for different departments needs is crucial, your sales department will not need the same training as your IT department. As with many awareness programs you roll out the same message to everyone, which results in that it is either too complicated or to easy and you will lose the audience interest in learning.

With this dream team your appointed project manager may start aligning the team and advancing towards the common goal to build security awareness and security culture within the company using the topics and planner modules.

%d bloggers like this: