Security Risk Management & Embedding a Positive Security Culture
Security risk analysis is the first stage in the overall process of security risk management, an important corporate governance tool. Security risk analysis provides a methodology for assessing the likelihood of undesirable, usually malevolent, events and measuring that against potential impact and vulnerability.
Security Risk Management must be collaborative and inclusive, and must factor in the overall business strategy, and the businesses future operations. If done in collaboration with line management (and not as a separate security management activity) security risk analysis will increase awareness and help ensure that regular employees contribute knowledge about the strengths and potential vulnerabilities of the security measures in place when compared against the assessed risks. Moreover, it will create buy-in to the security measures that follow on as a result of the analysis.
Ultimately, we, the security community need to stop blaming employees as the security problem and start blaming ourselves. It’s up to us to understand what the root causes are in failing to change human behaviour and address those issues - SANS Institute Security Awareness Report 2017.
Developing and maintaining an effective and proactive security culture is an essential component of a protective security strategy, within any environment, and helps mitigate against a range of threats that could cause physical, reputational or financial damage to organisations.
Security culture refers to the set of values, that should be shared by everyone, that determine how people are expected to think about, and approach security. Getting security culture right will help develop a security conscious workforce, and promote the desired security behaviours you want from staff.
Cultures develop over time and are influenced and changed by multiple carriers. Management policies and directives play a role, but also important are example setting, role models, peer behaviour, awareness training and mentoring.
Effective security relies on people behaving in the right manner. This is enabled through an understanding of the threat and a clear understanding of what is required of them. In this way, employees play a significant role in the detection, deterrence and prevention of security threats.
The development of an appropriate security culture, where the right security behaviours are adopted by all employees, is essential to an organisation’s protective security regime.
Used the right way, staff, guard force, contractors, visitors, and suppliers can be a huge force multiplier, at a relatively low cost, in strengthening your resilience to security threats and reducing your vulnerability to criminality, cleaners are a great example of force multipliers, as they have access to ‘’most’’ areas, and see and hear everything, especially relevant to insider threat.
Security should not be viewed as a narrow discrete activity with its focus around guarding and barriers. It is a culture which needs to be shared and embedded into the business, just like health and safety, business continuity and corporate social responsibility.
Therefore, leadership of the security function requires special skills that go beyond leadership of the immediate team, but leadership at organisational level, the security manager must be a business manager, with security as their speciality.
One efficient way to embed security culture within the overall enterprise culture is by the use of local security champions – regular members of staff who have a departmental responsibility for security matters, who are coached by the security manager, but who report to their respective line managers.