I read a blog post that quoted a security professional saying, ‘culture is defined as the beliefs we accept without question.’ The blogger, also a security professional, went on to say that his goal is to generate a new security culture, a security culture that “everyone accepts and makes a natural part of their activities.”
That definitely got me going, so I left a comment that explained why I disagreed with that statement.
If you want to read the entire blog post, it’s here. The comment that I left on the blog is duplicated below. It will be interesting to see what the blogger thinks of it (after several weeks, he decided to delete my comment rather than post it*).
Kevin,
I disagree that culture is accepted without question. Culture is the norm of a company or group, and it is questioned constantly, especially as new individuals join the group.
I’m not also sure that security will ever be “a natural part” of anyone’s activities because security is unnatural. It is natural for most people to trust others; it is natural to take the path with the fewest fences and the least amount of barbwire; it is natural to want to make money as fast and as easy as possible, with the least amount of investment.
Security REQUIRES you to think, to question motives, safety, and impact of decisions. In my opinion, that’s why so many struggle with it.
My last proof that security will never be natural is that those who know better, the YOUs and MEs who manage and audit security every day have to force themselves AT HOME to regularly change passwords, update systems and applications, use encryption, make backups, etc. We all hate it, and too many of us put it off just like the rest of the crowd. Right?
Personally, my years of experience point to a 3-part solution to the problem of security culture:
1) Management has to lead from the top. This is where most security cultures die (or are aborted).
2) Mandatory security training, at least annually, to include security training during new employee orientation, with annual follow-up on each person’s performance appraisal–it must be an area where each person is rated. A poor security rating affects your increase, regardless of other areas of performance.
3) Firing people who don’t comply. Determine, document, and publicize the lines that can’t be crossed. Nothing gets peoples’ attention like a dismissal.
Heavy-handed? Yes. But people do or don’t do anything unless they believe it benefits them or to avoid repercussions. That’s the way cultures are built in my opinion.
One specific example I thought of after I left the comment: How few security professionals and others who know better still log into home computers as admin/root instead of a regular user with few privileges (see my related post, Log in as Root or Administrator?).
Do you and your users find good security practices come naturally to you, even after you’ve been through security training?
What other proofs can you offer that security does NOT come naturally?
Have you found a better way to create a security culture that isn’t so heavy-handed?
NOTE: Several readers have commented on this topic, and you can read the comments here.
———
* Regarding the blogger’s decision to not post my comment:
- I acknowledge and support his right to ignore any comments for any reason: it’s his blog. On this blog, I’ve posted all legitimate comments (non-spam comments) I’ve received, even negative ones (see AuditMonkey’s comments on Why a Wastebasket Audit?).
- It struck me strange that the blogger would not take the opportunity to debate the issues I raised. After all, the website’s purpose is to showcase the organization’s expertise in security and get you to use their services. If they can’t debate a fellow security blogger, why should someone buy their services? At the same time, I understand that such a comment calls for a response, and perhaps they don’t have the time or don’t want to spend it in that manner–that’s a valid reason in my book. However, when someone takes the time to read your blog and leave a thoughtful comment, I’d welcome that, and encourage it.
Anyone else have any thoughts they’d care to share?
ITauditSecurity 
Yeah, a lot of the “security culture” [on some forums is] simply used as an excuse to be officious and tell people off. Also of course it was regularly broken by those meant to be enforcing the rules. I think we should have certain “standard” rules, no posting of addresses or telephone numbers would be obvious.
LikeLike
Cheap,
Not sure how this ties in with my topic. I edited your comment and removed your link to your website as this seemed more like a spam comment. And your email address was bogus.
Care to elaborate on your comment and tie it in? Otherwise, I will probably delete your comment altogether…
LikeLike
Pingback: The Key to Creating a Corporate Security Culture | i-Sight Investigation Software Blog