//
you're reading...
Information Security, IT & TECHNOLOGY

Building a Security Culture has Its Benefits


ISACA-Logo

Since I created the Security Culture Framework in 2012 and open sourced it in 2013, the interest in security culture has exploded worldwide. When I first started in the industry, security culture professionals were but a small group of specialists in the US and Europe, discussing how we, based on our experience, built functional security cultures in organizations around the world.

Today, only a few years later, the interest in security culture is truly global, with a large number of organizations applying the principles of the framework to build and improve their security culture.

In my opinion it is important to accept the fact that all organizations have a security culture—whether they acknowledge it or not. This means that a poor security culture may have a negative impact on your organization, opening the organization up to external and internal risk and data breaches. A security culture can (and should) be improved, thus making the improvement a potential benefit.

Security culture is defined as the ideas, customs and social behavior of a group (organization) that keeps it secure. To be secure is one clear benefit of a security culture. What being secure really boils down to are the risk assessment, risk acceptance and risk mitigation strategies of the organization. No two organizations are the same in this respect. A risk-focused approach to security culture is a very good idea, as it allows you to direct your efforts to where they will make most sense for the organization.

An organization with a high risk appetite may choose to focus less on security culture than an organization with a low appetite. As long as they understand the short- and long-term outcomes of such a strategy, I have no problem with such a choice being made. The challenge arises when an organization finds itself in the blind—believing they are doing the right things, while waking up brutally one morning with all their data records being leaked to the press, and then, upon closer inspection, discovering that their awareness training programs worked very well to check a box once a year, but did very little, if anything, to build and improve their security culture.

Making informed choices is part of a security culture. Understanding the threat landscape, the risk strategy, and then transforming this into a security culture program is the way to build and improve security culture.

I plan to write future blogs that will discuss the principles of the security culture framework and my experiences building security cultures around the world. I will also take questions and provide answers to your security culture questions.

What is your experience building and improving a security culture? Do you see any settings where an organization could accept a lesser security culture? If so, why?

Editor’s note:  Roer’s latest book, Build a Security Culture, is available for purchase at ISACA’s Bookstore.

Kai Roer, Security Culture Coach/Author, The Roer Group

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 113,299 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,953 other followers

Twitter Updates

Archives

August 2016
M T W T F S S
« Jul   Sep »
1234567
891011121314
15161718192021
22232425262728
293031  
%d bloggers like this: