ENISA recently published their Cybersecurity Culture in Organizations report, where they propose a structure for building security culture in organizations. I did participate in the review of this report, and my work in this space is referred to in the report.
With this report, ENISA is publishing the most comprehensive and applicable recommendations and structure for setting up and running a successful security culture programme. The program uses the free and open Security Culture Framework (SCF) as its basis, and provides the reader with more details and suggestions on how to apply this in the organization.
Further, the strong focus on measuring both security culture in general, and specifically the outcomes of activities taken, is an important step that I often see neglected in practice today. As such, the ENISA report is well aligned with the upcoming GDPR, where Article 32 1d requires organizations to also measure organizational controls.
By applying the process proposed by ENISA in this report, possibly using templates and best practices from the SCF, and the use of metrics as set forward in the report, I believe that most organizations will be able to create a successful security culture program.
Adaptations will always be needed, for example, as not every organization may be ready to put cybersecurity as a fixed item on the board of director’s agenda. Having this item as a goal, I believe will help the organization to mature and improve over time.
There are other things recommended in the report that some organizations may struggle with, for example
- Measuring each activity every time,
- Align cybersecurity strategies with business strategies
- Involve the employees to raise their concerns with the security culture workgroup
- Embrace all seven dimensions of culture
All of these are important, yet require a certain degree of security culture maturity. Based on my own experience, I strongly suggest that organizations looking to improve their security culture start small – a small programme that is successful is better than a full-out program that fails.
Start with those things you are able to do, with your current level and budget, measure your progress, learn while you reiterate, and grow as you can.
Finally, I would like to praise ENISA for their work in this field. The report is a great step towards better cybersecurity culture in Europe, and as such, should be read and used by all kinds of organizations – government and private, large and small.
Remember, every step counts! Let us build a chain of human firewalls across Europe!