I was speaking with a customer once about a “culture of security” and was asked what, exactly, I meant by that. I realize now that when I answered the question, I described actions taken by her employees as not part of a culture of security, but maybe I didn’t answer the question about what it is. Such a culture can be hard to describe, but as Justice Stewart stated in his opinion on Stanley vs. Georgia, I know it when I see it. I’d like to take a moment to define it and describe it now.
Common Understanding. Even the most basic of management books will agree that the more employees understand the business, how it remains profitable, and how their role contributes to the overall success, the more they understand how they can act to protect and grow the business. Driving that understanding usually results in two actions: first, employees are more engaged with the business and require less frequent, less direct management and second, employees start participating more actively, more pervasively in the protection of the business.
People, Polices, and Technology. If the VPN and firewall are designed to protect the enterprise from unauthorized access, but there are no locks on the door, what is the value of the firewall? Remind your employees of how technology allows them to perform their roles in pursuit of a profitable business, and how the policies and technology and, yes, locks on the door help make the business a sustainable one. Do it gently, but do it frequently. Talk to them about circumventing those controls and make it an open and honest discussion – if they can tell you why they bypass or disable controls, the controls need to be changed just as much as, maybe even more than, as the employee behavior.
Meeting Change with Change. How long does your business go with no change in business? Just keep on keepin’ on? It doesn’t happen very much, anywhere. New customers signed, new services launched, new locations opened, old products retired, old offices closed. Are your security processes as flexible as the rest of your business? Is there any value in keeping the proverbial safe under lock and key when it’s empty? Are you leaving more valuable data assets out in the open?
Users – your employees, colleagues, and leadership – matter. They’re going to have access to the data and systems because it’s how they do their job. It’s up to you, whether system administrator or the VP of IT, to make them an integral part of the security controls. Educate and include them in your planning, don’t treat them (solely) as the threat. As Cisco noted in their 2015 Annual Security Report, “Users are becoming ever-weaker links in the security chain” and I believe it’s just because we haven’t done enough to keep them engaged. You patch your systems and maintain your firewall rules to keep pace with emerging threats and that’s considered a requirement. If you can ‘patch’ your users with the same level of diligence and enthusiasm, your enterprise will flourish as a result.