In The Security Culture Framework, an important factor is to use the right competence in the right places.
The maturity of the organization within the field of security will be an important factor on how the work is organized. As an example it is important that the security person responsible understands that to build a culture of security requires more than just people from the security team; it require a broad range of skills and experience which need to come from a number of different departments.
It is recommended to establish a working group that among other can consist of roles described below:
It’s a prerequisite in The Security Culture Framework that the work with culture building is organized properly. Essentially you need a leader or manager that takes responsibility for the progam.
This person may be a member of the group established to create security culture, or a pure project/program manager.
The person in charge of security has a natural part to play in building a security culture within the organization. This person, regardless of title, provides the core competency for security so the subject matter expert (SME)
This person will set security goals, make any revisions and decide upon actions to increase the level of security awareness within the organization. Naturally, this resource defines security strategy and therefore understands the bigger picture. With an understanding of the current security posture and the desired state this person will be key to ensuring that the programe is a success.
The person responsible for security is one of the three core roles in The Security Culture Framework.
Culture is about people and interaction. Most organizations today value their employees and have a personnel department which includes training, cultural building activities and workforce management. These are commonly refered to as Human Resources (HR)
Specialists in organization behavior and culture are often found in these departments. These experts and their competence are of great value when working with culture establishment or change, which is highly recommended in the group.
The HR department normally has the best overview over the organization. The HR department is the one to collaborate with when deciding on which training topics should be provided to which departments. In addition, the HR department has good communication channels within the organization, with good experience with internal communication.
One or more resources from the HR department should be involved in the work with security culture, and in The Security Culture Framework the HR resource is one of the three core roles.
The Marketing Department
The market department in the organization are the people who have skills and experience at effective communication. This department has expertise on how to define different target groups, identify similarities and differences, to tailor messages so that they reach as many as possible.
In The Security Culture Framework is it important to create an effective delivery mechanism to create and cultivate a good security culture. The marketing department is an should be an important ally to reach out to a wide range of employees in different divisions and countries with different cultures.
They have the experience and knowledge in how to design and accomplish communication and market campaigns, define realistic goals and measure the effect of these campaigns.
To ensure that measures in The Security Culture Framework are organized as marketing campaigns with clearly defined goals, start and stop times, effective measurement, the market department is key to involve.
The market department is the third core role in The Security Culture Framework. Put simply, they are the experts at effective communication.
CEO/The Board/Management team
This is the communication channel with decision makers. It is important that the work with security culture has support from management. Firstly, it is hard to run a good security culture program without support from management. Secondly, in today’s business environment security and security culture now has an impact on the reputation of the company, financial results and organizational culture.
It does not mean that the CEO, CFO or the board has to actively participate in organizing and implementation, but they should believe in and support it.
The CFO is often a key to funding internal programs, and is of that reason important to involve.
CEO and the rest of the management team should be involved as supporters and pioneers. This is a case of actions speak louder than words.
It is important to remember that the reason for building and maintain a security culture is for the employees in the organization. Therefore content and delivery are king!
In many organizations it may be necessary to segment and define different target groups. This to tailor message to their needs and way of work:
• Sales department/Sellers/Marketing
• Leaders and middle management
Every organization is unique. Hence why it’s important to analyze the different departments in the organization and their needs.
As the program’s goal is to create positive and lasting change you should seek to involve your target audience, asking them what kind of messages they’d like to see as well as suggesting what the program will deliver. This way you can build their suggestions in, which will foster engagment!
The ICT department (or external providers) are in most organizations a key to effective technology based communication and distribution of information.
Many security related measurements are already done with ICT tools and the ICT department has in most cases a complete view of different tools, programs and systems the organization uses.
You need to engange and involve the ICT department not only for data collection and measurements but most importantly for technical deliver of the awareness content.