According to Lance Hayden, Managing Director of Berkeley Research Group, harnessing the power of people and culture is the next great frontier for information security. Security culture reflects the beliefs and values of the people that make up your organization. They are intangible and embedded in thoughts and minds. An organization can’t directly observe them, so the questions remains: how does one best measure organizational security culture? How long, metaphorically, is our piece of cultural string?

Why is it important to know about an organization’s security culture?

 One of the better definitions of organizational culture is simply “the way we do things around here...” But culture is not only about visible behaviors like the dress codes, bureaucratic rituals, or the styles of interpersonal communication. Culture is also an “iceberg” concept, where what you can see above the surface is just a small part of the whole. Most of it what we think of as culture lies below the surface of everyday awareness, made up of the beliefs and values that drive our behavior, and the stories and rituals we share and pass on to promote them. Understanding an organization’s security culture is important not just because it gives insight into “the way we do security,” but also tells us more about “why we do security the way we do.”

 In cybersecurity, organizations often equate culture with how seriously people take security in their daily activities and behaviors. That’s certainly part of it, but security culture isn’t the same thing as security awareness. Security training and awareness teams often are the “tip of the spear” when it comes to understanding and changing culture, but they can’t do it alone. We’re talking about changing basic beliefs about how the business should run – priorities and values that tend to drive behavior automatically. And this is where the idea of security culture gets very interesting.

 Culture is not monolithic, and most organizations don’t have one single security culture. The beliefs and priorities of the IT security team may vary substantially from the beliefs and priorities of the sales department, or the board. In my book, People-Centric Security: Transforming Your Enterprise Security Culture, I developed a model that identifies four basic security culture types: Process, Compliance, Autonomy and Trust. Each of these core cultures exhibits unique values and behaviors, and every organization has a mix of all four. Sometimes the culture types complement one another, and other times they conflict. And differing security cultures competing internally are the most common source of people-centric security risk for an enterprise. Rogue employees represent an insider threat to be sure, but they are minimal compared to the threat of a CISO and other business leaders actively misunderstanding one another and failing to cooperate effectively.
 Knowing your security culture is like knowing the personalities on your team. Leadership is about balancing and motivating very different people together to get the best performance from everyone. A CISO or any other security leader can’t expect to execute on security strategy if the organization’s security cultural landscape remains a mystery. As Peter Drucker said, “Culture eats strategy for breakfast.” And technology is often on the lunch menu.

What defines a strong security culture? Or a weak one?

Many enterprise security professionals define a strong security culture as one where people put security first as a priority. But this is an oversimplified view of security culture, and can even result in increased risk to the business. Organizational culture researchers have shown empirically that culture impacts business performance, but they have also found that context matters more than any single type of culture. The strongest cultures are the ones that enable organizations to operate most effectively in their respective environments.
Consider two companies, one a large bank with a century of history, the other a software startup that has been in business only a year. The bank has multiple divisions, including defined IT and security groups. The startup has 30 employees, and most hold multiple roles, particularly in software development. At the bank, every employee is given centrally managed computers and mobile devices for their jobs along with strict policies on how that technology may be used. In the startup, half the employees use their own personal devices, and the other half have devices the company ordered off-the-shelf and handed to them unopened. Everyone has full admin rights, and there is little separation between business and personal use.

One might be tempted to think the bank has the stronger security culture, putting a great deal of effort into controlling IT resources. But what would happen if the entrepreneurs suddenly adopted the bank’s security controls? It’s safe to say that the risk of compromise and exposure on any given device would probably go down as a result of the change. But so to would the overall productivity of the company. Now precious resources would have to be devoted to managing everyone’s devices. Developers might not iterate as fast on code improvements. Key employees might even leave, feeling like things had gotten less fun. These disruptions might be enough to jeopardize the startup’s survival in this early stage of growth, a risk even more top of mind to the founders than the results of a catastrophic attack. For them, a more relaxed security culture allows them to focus on their core business, which protects the company from risk. When security is about the best level of protection for the enterprise, you can’t separate culture from context.

For me, a strong security culture is the set of internal values and priorities that leads to maximum operational effectiveness. A weak security culture, conversely, is one that doesn’t align with enterprise strategy and goals, instead causing conflict and friction that impedes execution or innovation. Culture is a reflection of human capital, and human capital is an enterprise resource like any other. It’s never one-size-fits-all.

How do you measure a security culture?

There’s no single way to do it, and many measures don’t involve quantitative analysis. You can’t really count culture. But lots of people, me included, measure it regularly. But you have to start by getting out of the mindset that measurement is always about counting things. Measurement is not so much about counting as comparing. Measuring security culture is about comparing patterns. Since culture is about people, these may be patterns of behavior or patterns of thought, and we have a variety of tools we can use to measure examples of both. Some will even give us an opportunity to count things again, but in the right context. I developed two models for measuring culture. The one I mentioned earlier assesses security culture the same way psychological tests measure individual personalities. You don’t end up with a high or low score, but rather a visual pattern of values that demonstrates the ways your organization is most likely to think about information security. The second model focuses more on specific behaviors as indicators of culture, and is heavier on counting things to measure them. Unlike the first, it doesn’t provide “top down” insights about broad cultural patterns. Instead it goes “bottom up” to identify known behaviors that contribute to specific security values and goals.

Can a security culture change over time?

Enterprise culture, including security culture, not only can change over time, but almost always will. And organizational studies research has shown that the single best way to influence culture is to create one. Unfortunately, this is also the hardest way to “do culture.” Usually the only people that get a chance to create an organizational culture are the founders who start the organization. In building the enterprise, these founders put their cultural stamp on it, define the values and priorities that will dominate it and initiate the stories and rituals that will define it. Once set in motion, that cultural inertia will be much more difficult to influence than it was to initiate.

This often explains why security teams can struggle culturally. Many organizations predate their own security programs, which were set up later as the need arose. If the way the security team wants to operate is out of sync with the existing culture, it’s like a boat coming along and trying to move the iceberg. I see lots of organizations today who have realized “We’re going to need a bigger boat.”

Fundamentally, you must change what people think and believe, not simply how they behave in the moment. The ultimate measure of cultural transformation is when people behave in the new, desired ways even when no one is watching or reminding them to do so. They do it because that’s just the way we do things around here...

Can you give an example of an organization’s security culture and how metrics were used to mitigate security incidents?

I have a good friend who runs security awareness for a large company. She embarked on an extensive program of employee engagement, including gamification and socialization of security, to transform the enterprise security culture. She used two powerful metrics for how she measured the success of her transformation efforts: the first metric was traditionally quantitative. The company did regular red team assessments to test their own security posture, and could measure the “cost of penetration” for their activities, in other words how much time and effort it took to compromise the firm’s security. As the awareness program grew, individuals in the organization grew more skilled in identifying signs of attack and more comfortable reporting anomalies to the security team. As a result, over time, the red team’s cost of penetration began to trend upwards as more people spotted and reported them, shutting down avenues of attack and forcing them to find new ways in. As the security culture became stronger, attacks against the company became measurably more difficult and expensive. The second metric was regarding tailgating. People would regularly go through doors in groups without everyone badging in. A couple years into the transformation effort, we saw that employees now took the time to individually to swipe their badges as they passed through every door, and challenged people they didn’t know to do the same.