Building a Proactive Security Culture │ Why is it Important?



Ultimately, we, the security community need to stop blaming employees as the security problem and start blaming ourselves. It’s up to us to understand what the root causes are in failing to change human behaviour and address those issues - SANS Institute Security Awareness Report 2017.


Developing and maintaining an effective and proactive security culture is an essential component of a protective security strategy, within any environment, and helps mitigate against a range of threats that could cause physical, reputational or financial damage to organisations.


Security culture refers to the set of values, that should be shared by everyone, that determine how people are expected to think about, and approach security. Getting security culture right will help develop a security conscious workforce, and promote the desired security behaviours you want from staff.


Cultures develop over time and are influenced and changed by multiple carriers. Management policies and directives play a role, but also important are example setting, role models, peer behaviour, awareness training and mentoring (CSMP, Unit 11).


The benefits of an effective security culture will include;


A workforce that are more likely to be engaged with, and take responsibility for, security issues that may arise, not limited to insider threat, which is often overlooked, but of serious concern in the majority of organisations.


Increased compliance of protective security measures, for example abiding by an access control policy, or abiding by a search and screening policy upon entry into a place of work, such as office.


Reduced risk of insider incidents, as above, insider threat is of grave concern, and hugely neglected, as many people focus, on external threats, overlooking the internal threats from their own employees.


Awareness of the most relevant security threats within their place of work, for example, awareness of hostile reconnaissance, and how to spot this form of behaviour.


Employees are more likely to think and act in a security conscious manner, for example, closing an electronic access control door to a restricted area behind them, in the event the door is not automatically hinged.


Many organisations, you would hope, wish to embed an effective security culture where security is a collective responsibility shared by everyone in an organisation, however, this can often be hard to achieve, either due to limited support at executive level, or an immature approach to security as a whole, perhaps security is treated as a necessary burden, or solely compliance based.


Note, endorsement or buy-in at C-Suite level is paramount, and it is also important that this be led from the top. From my experience, often when senior persons do not lead by example, for example assuming they are exempt from any search and screening, access control policy, or badge/credential wearing policy, this sends a negative message to employees.


Effective security relies on people behaving in the right manner. This is enabled through an understanding of the threat and a clear understanding of what is required of them. In this way, employees play a significant role in the detection, deterrence and prevention of security threats.


The development of an appropriate security culture, where the right security behaviours are adopted by all employees, is essential to an organisation’s protective security regime.


Used the right way, staff, guard force, contractors, visitors, and suppliers can be a huge force multiplier, at a relatively low cost, in strengthening your resilience to security threats and reducing your vulnerability to criminality, cleaners are a great example of force multipliers, as they have access to ‘’most’’ areas, and see and hear everything, especially relevant to insider threat.


The International Security Management Institute’s CSMP® states the following;


Security should not be viewed as a narrow discrete activity with its focus around guarding and barriers. It is a culture which needs to be shared and embedded into the business, just like health and safety, business continuity and corporate social responsibility.


Therefore, leadership of the security function requires special skills that go beyond leadership of the immediate team, but leadership at organisational level, the security manager must be a business manager, with security as their speciality.


One efficient way to embed security culture within the overall enterprise culture is by the use of local security champions – regular members of staff who have a departmental responsibility for security matters, who are coached by the security manager, but who report to their respective line managers.


Regards,


Adam