Building our security culture Management seminar Building our security culture This high level awareness presentation for managers forms part of the information security awareness program. It is designed to be presented and absorbed in about 20-30 minutes depending on how much discussion ensues. Speaker notes provide additional information and prompts for the presenter. They may be printed for distribution as handouts by selecting “Notes Pages” on the PowerPoint print dialogue “Print what:” drop-down. September 2011

Introduction Everybody has their own idea about what a “culture of security” might be, so we’ll start by clarifying what it means to us, then move on to talk about how to establish and improve the security culture within the organization, and finally we’ll consider the metrics question “How would we know if we have succeeded in building a security culture?” .

What do we want? The items in the green blob are what many would consider the key elements of a “security culture”: There is a generalized intolerance for insecurity among employees, an unwillingness to just shrug our shoulders and accept security incidents. This is already evident among our managers but it would be more effective if every employee felt this way. Where possible, things are made ‘secure by default’. Information security is taken into account from the earliest stage of specifying and designing IT systems and processes for example. Security is woven into contracts and agreements with employees and third parties. Security is a normal part of what we do. In a security culture, security is proactive in the sense that employees willingly behave securely and consider the security aspects. They report possible security threats and vulnerabilities even before incidents occur. They are more willing to follow security policies and procedures because they accept their purpose. A security culture ultimately reduces the number and/or severity of security incidents because information security has become an integral part of the organization’s DNA. “Free security” may be a bit over the top but a security culture can be established with minimal expense or effort, and yet the potential rewards are substantial. We will get more value from our technical security controls, for instance, if they are used properly by people who are about security. “Free security” can also be interpreted in the sense of “free speech” - a corporate atmosphere that encourages full and frank discussion of information security issues. People in a security culture speak up when they find security vulnerabilities. Security is firmly on the agenda and gets taken into account in all manner of business decisions and activities.

But we already have a security culture Do you really think so? What makes you think that we have a security culture? I’m sure that for every example you can present, the Information Security people can think of incidents where employees didn’t behave securely. Social engineering attacks, for example, are such a serious threat because people generally take things at face value.

Would you spot a fake email like this? Yes, it’s a phishing email, using Linked In as a lure. The From: address is easily faked by the scammers. Where it says “blocked::linkedin-report.com”, that was my email system trying to warn me not to follow the link. Most likely, the site is nothing to do with Linked In, but it probably looks like the official Linked In site. It probably asks me to login (giving my username and password straight to the scammers). It probably tries to exploit security weaknesses in my browser software as well, often installing Trojans [warning: please do not try to visit the site to find out as your system may be compromised.] Hopefully all of us know about this kind of scam by now, and of course we don’t fall for them. But before we became aware, some of us did fall for them, and some still do. Awareness is key.

Handles sensitive medical data Linkedin Job title College 8 colleagues to exploit Too easy! Still on the Linked In theme, here’s a typical public Linked In profile for a random CEO. [I don’t know Adetta. I have no ax to grind. This is not personal. It could have been almost any one of the millions of professionals on Linkedin!]. Now think about your own use of social media. How much juicy information could a social engineer gather about you just by searching for your name on the web? What about your colleagues, friends and family members? In a security culture, people are more aware of the dangers and less inclined to disclose such sensitive information. Handles sensitive medical data 25m more targets!

OK, so how do we get it? If you accept that a security culture is indeed a valuable goal, what would you suggest we do to establish or improve ours? Our answers to this question are on the next slide, but think for a moment about what you would do.

How do we get a security culture? OK, here are our suggestions: Leadership and direction means making it patently clear to our people that security matters. It is an important objective for the organization, and there are things people should or should not be doing in order to improve the level of security. Defining a suite of information security policies, procedures and guidelines makes the specific security obligations crystal clear. Being open about the value of security is one way for management to make their support for security evident to staff, and indeed to each other. This goes beyond simply behaving securely – it is about explicitly demonstrating secure behaviors and decisions. Authorizing and complying with the security polices etc. is one way to show support. Using rewards and punishments is another (more on that below). Persuading and motivating our people to behave securely involves more than telling them to comply with the policies “or else!”. Stark orders are unlikely to be complied with, except under sufferance. Information security awareness, training and educational activities (such as this very seminar) are designed to help employees understand what is being asked of us, appreciate why security is important, and give us the skills to behave securely. In relation to information security, we tend to use punishments (such as disciplinary action or prosecution) to ‘enforce’ security policies. To build a security culture, however, it is equally if not even more important to reward secure behaviors. Something as simple as saying “Well done for reporting that incident so promptly – thank you!” can make a lasting impression. If compliments like that are given frequently and genuinely, they will have an effect.

How do we know when we have it? One of the characteristics of a security culture is that people tend to behave securely and avoid doing insecure things, even when they don’t think they are being monitored. For them, security as become a natural, largely subconscious part of their normal behavior. This is what we’re trying to achieve. As to how to find out if we have a security culture, we could perhaps invite a team of behavioral psychologists to characterize and measure us … but you are probably relieved to hear that there are other less disruptive and costly approaches. If you are interested in this area, please read the management briefing paper that suggests possible metrics, and by all means speak to the Information Security Manager about it.

Summary A security culture may not be free, exactly, but it’s comparatively cheap, and if done well, highly cost-effective. Remember that we are asking people to change their behaviors, which means we are talking about a change management activity. A comparatively minor investment in security policies, rewards and awareness training will all work together to reduce the number and cost of security incidents and hence save us money. It will leverage our expenditure on technical, physical and legal security controls, making everyone part of the security team.

Management action plan Check the security policies & procedures Lead by example: demonstrate secure behaviors, place a value on security Identify and reward secure behaviors Encourage open discussion about security matters – talk it up a bit Reap the benefits of a security culture This simple six-point plan is all we are asking you to do. Please play your part in building and sustaining our culture of security.

Further information Information Security Policy Manual and other security awareness materials CIO or Information Security Manager Browse the intranet Security Zone Managing the Human Factor in Information Security by David Lacey and Spies Among Us by Ira Winkler Google for more! This presentation is just one element of the security awareness program. Further presentations, briefing papers etc. are available on request, and on Information Security’s intranet Security Zone. The Information Security Manager would be pleased to provide further information or discuss the points we have discussed today. Just ask. Please find opportunities to discuss information security with your peers and staff. The security awareness program depends on widespread involvement to create/maintain a corporate culture of security. We would really appreciate your help to get people thinking and talking about information security – for example social engineering. To close this seminar, we would particularly welcome your suggestions on other ways to grow our culture of security, either now or later.