Developing a security culture is probably the most important and effective thing an information security manager can do. If you want to develop a successful security culture, you need to ensure the top brass in your organization act appropriately. Culture change comes from the top – if you fail to engage them, then your efforts to create a suitable environment will fail also.
The June 2008 Hannigan Report on Data Handling Procedures in UK Government required a number of actions. One that stands out for me states that “Departments should put in place plans to lead and foster a culture that values, protects and uses information for the public good, and monitor progress, as a minimum through standardized civil service-wide questions in their people surveys”. What is very apparent is that little has been done to address this fundamental issue.
The development of a security culture intrigues me. There are a lot of people (mainly academics and consultants) seeking to attain the intellectual high-ground in this area. This intellectual understanding (if it is indeed so) has not been translated into reality in many parts of government.
One of the prescribed roles in government is that of the senior information risk owner, or SIRO. Each SIRO is tasked with four main deliverables:
- An Information Risk Policy
- An Information Risk Assessment
- Advice on the Statement of Internal Controls
- A Cultural Change Plan
The first three strike me as being straightforward. The final one is not. It causes me to ask the following questions: What is ‘culture’? Why change it? How do you measure it so you know when to change it, and by how much?
So, it’s Wikipedia to the rescue with their definition(s) of culture:
- Excellence of taste in the fine arts and humanities, also known as high culture
- An integrated pattern of human knowledge, belief, and behavior that depends upon the capacity for symbolic thought and social learning
- The set of shared attitudes, values, goals, and practices that characterizes an institution, organization or group
I reckon we’re looking at something that lurks between definitions 2 and 3. All the literature and studies I can find suggest that imposing culture does not work. Culture is not a ‘thing’ in itself – it is the result of many things happening at lower levels within an organization. To change culture, you need to change the way people interact with each other.
What is also a common thread in the literature is the use of terms I can only describe as ‘horticultural’. Examples include the already mentioned ‘nurture’, ‘foster’ and ‘cultivate’. It’s perhaps no coincidence that the Latin root of the word ‘culture’ is cultura, which in itself stems from the word colere, which means to cultivate.
This leads on to the inevitable development of a series of horticultural metaphors relating to culture. A gardener seeks to develop an environment wherein things he wants to grow actually do grow. He seeks to discourage or prevent things that he doesn’t want to grow. He wants to keep pests out, to stop them from destroying the things he wants to grow. He is trying to provide the right conditions for his plants to do their stuff. He can’t do their stuff for them.
Given that cultural imposition is ineffective (history has too many examples of attempted cultural suppression that leads to fierce resistance and failure), if we want to change our organizational culture to one that has characteristics we want, then we have to provide the right conditions. We can, to some degree, secure ourselves from pests – an anti-bird net is a fine metaphor for a firewall, as is a slug pellet. Providing safe conditions can be equated to providing feed (compost and minerals, for example).
I think that the prime ingredient for a sound security culture is the example set by senior managers. This can probably fall into a ‘nurturing’ metaphor, but I know most metaphors fail to withstand close scrutiny and analysis, so I’m not taking it too far! This aside, the concept remains sound. Without the big players walking the walk, you will probably fail.
People hate change. If they hear senior managers demanding that people ‘do as I say, not as I do’, then they have the best reason for acting in the same way. They need to know how they should behave. You have to identify those behaviors you consider most appropriate to the security culture you want, and then encourage people to behave that way.
This issue is often made more difficult because managing a cultural change initiative goes beyond the normal bounds associated with information security management. You need to integrate with your HR function, your corporate governance bodies, your trades unions (if you have them) and many others. You are also asking people to change, which is one of the hardest things anyone can attempt.
There are some simple tips that make this a little easier. You need to understand what it is you want. You need to articulate this understanding clearly so that other people understand what you want. You need to communicate your understanding clearly and try, wherever possible, to demonstrate that the change you are asking for brings benefits to those affected by them. You should also ensure a degree of continuity in the change process.
If there are elements that are familiar in the ‘new’, then they are likely to be more readily accepted. Unfettered radical change that misses this trick is very hard to accept – mainly because it will feel like an imposition, and we know that rarely works.
This issue is going to grow and grow. Start cultivating now.
Gregor Campbell is an information security consultant working in both the government and private sectors in the UK.