Security culture has been a trend in this industry for some time: it proposes a more secure workplace, more aware employees and a culture of privacy in the times of GDPR. However, knowing how to achieve it, how to measure it and how to get your staff to adapt to it are some of the main challenges.
Some time ago the Security Culture Framework was created and led by Kai Roer, founder and CEO of CLTRe, who recently appointed a new COO to the business.
Aimee Laycock originally joined CLTRe as a business development manager in order to build a better customer base for the company, but she admitted to Infosecurity that this was a new industry to her.
“My field had been much more about B2C for a range of different products and companies, but nothing like this,” she said. “As I got more involved I started to feel like I was making a real contribution and as I got more involved I took a bigger role, and at the time that Kai had launched the bigger version of the toolkit I took on the role of COO.”
Laycock praised the mentoring she had received from Roer, which she said “made me feel like I could do it” and in particular she admitted that she “knew very little about IT or security” and she thought information security was entirely an IT responsibility. She had even seen and heard examples of girls being left out in school classes. “We need to change that if we are to encourage people in and we need to make it more inclusive,” she added.
Laycock admitted that she was disappointed as she would have found these issues “fascinating” at age 14, as she was interested in related issues like social equality and privacy, and these are things that people are interested in now. “Unless we talk about what we can do to change things, people think that this doesn’t concern them.”
She said: “I had no idea on the breadth of information security and data protection and culture and education, and I had never really considered it. The last 18 months working with CLTRe has really opened my eyes, as coming from a business development background and having a degree in economics, I have a particular way of looking at things. It really opened my eyes to the challenges not only companies, but people, have in information security.”
In terms of her day job at CLTRe, Laycock explained that the company is about enabling “a strong and sustainable security culture” and building a strategy around a company’s people and enabling the business to make better decisions. “We help them determine what their security culture is like, identify the strengths and weaknesses and advise how to make sustainable changes within it.”
She explained that in order to affect change, it needs to be measured, and you need to determine where you are now and what you want to achieve. “What we found previously with the Security Culture Framework is people ask how they measure security culture, and that is what CLTRE do: we provide metrics to make those things possible and help make the changes and be more effective.”
Laycock said that the process typically works by a company having done some things, and then they get to the point where they ask 'how are we doing?' and they want to know if they are doing better or worse than their industry peers.
She said that this is achieved by looking at their metrics, and they realize that they need to measure the cultural change in an organization, and what affect they are having on improving the behaviors and culture amongst employees. “That is when they turn to us, as they want to know if what they are doing is working, and if they can do it better.”
So is having a security culture part of a company’s ethos? Laycock said it is hard for someone to determine as it is not something they can put their hands on, but people realize that it is about the culture among the employees and enabling them to be better at making decisions.
How good is the typical company’s culture? Laycock said that a single person usually comes to CLTRe and wants to make changes internally, and this is typically one person against the whole company, and they need to start small and build out which is a longer journey.
This also comes with pressure from a board to justify and show metrics to prove why they need to keep the team and invest in the method.
“Part of my job is knowing how to help this person and determine where they are in terms of their own process, and how I can help them understand that this is worth the aggravation internally to fight for it,” she said.
We concluded by looking at what security culture means for Aimee Laycock, and she said that she has never professed to being a cybersecurity expert and lackd technical skills, “but we all have something to offer and we need to realize that different skills are needed and we all have different interests and different things to offer.”
She said that there are things we could be doing differently and better, and if we improve the way we recruit people and retain them “the benefits can be far reaching.
“Now I am here I am not going anywhere else! Despite all the problems we have in information security, we have so much to offer and if we can fix those negatives and be better at talking about the positives and spreading the message, it will definitely help.”