According to Cambridge Dictionary,culture is defined as “the way of life, especially the general customs and beliefs, of a particular group of people at a particular time”.
Organisational culture is the collection of beliefs, values and methods of interaction that create the environment of an organiz ation.
The organizational culture encompasses the foundational values of a company or business.
Each organization has its own culture.
People who adapt the culture of the organization find it easy to relate and contribute.
Those who disagree are regarded as rebels.
Some industrial experts define cybersecurity culture as, “the beliefs, values, and attitudes that drive employee behaviour to protect and defend the organization from cyber-attacks.”
Paul Allen observed that cybersecurity culture is important as it helps protect company assets, from hardware to data.
It needs to be part of a broader corporate culture of day-to-day actions that encourage employees to make thoughtful decisions that align with security policies.
A security culture is more than just cybersecurity awareness.
It requires the workforce to know the security risk and the process to avoid that risk.
It is the building and enforcement of following an operating process of tasks that keeps the firm safe.
Most organizations have spent years and countless resources to acquire and create their data assets, and if that is lost, stolen or corrupted, it could impact their bottom line for years to come.
There are variety of methods that can be used to promote security awareness.
Some of the more common methods include:
Formalized courses, as mentioned above, delivered either in a classroom fashion using slides, handouts, or books, or online through training websites suited to this purpose;
Use of posters that call attention to aspects of security awareness, such as password protection, physical security, personnel security, and others;
Business unit walk-throughs to aid workers in identification of practices that should be avoided (such as posting passwords on post-it notes in a conspicuous place on the desktop) and practices that should be continued (such as maintaining a clean desk or using a locked screensaver when away from the computer);
Use of the organization’s intranet to post security reminders or to host a weekly or monthly column about information security happenings within the organisation;
Appointment of a business unit security awareness mentor to aid with questions, concerns, or comments surrounding the implementation of security within the environment.These individuals would interact together and with the organization’s security officer. The mentors could also interact with the organization’s internal audit, legal, information technology, and corporate business units on a periodic (monthly or quarterly) basis;
Sponsor an enterprise-wide security awareness day, complete with security activities, prizes, and recognition of the winners;
Sponsor an event with an external partner, such as Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), SysAdmin, Audit, Network, Security (SANS) Institute, International Information Systems Security Certification Consortium ((ISC)²), or others.Allow time for staff members to fully participate in the event;
Provide trinkets for the users within the organisation that support security management principles;
Consider a special event day, week, or month that coincides with other industry or world awareness events such as Global Security Awareness Week (annually in September) and Security Awareness Month (typically annually in October);
Provide security management videos, books, websites, and collateral for employees to use for reference.
It is important to note that activities should be interesting and rewarding for the organization’s people.
To facilitate this interest, the programme should be adaptable, and the content and format of the awareness materials should be subject to change on a periodic basis.
Job training
Unlike general security awareness training, security training assists personnel with the development of their skill sets relative to performance of security functions within their roles.
A typical security curriculum in a mature organization will include specialty classes for individuals performing specialized roles within the organisation, such as those in IT, accounting, and others.
Even within these business units, specialized training will occur.
For example, in the IT area, it would be advisable for network staff responsible for maintenance and monitoring of the firewalls, intrusion detection/prevention systems, and syslog servers to be sufficiently trained to perform these duties.
Say senior management determined that there were no funds available for training.
What would be the result?
Typically, motivated staff will receive some on-the-job learning; however, it may not be sufficient to perform the job duties adequately.
As a result, the organization is breached and sensitive information is stolen.
Who would be at fault in this case?
Senior management is always ultimately responsible in the organization for information security objectives.
Senior management failed, in this case, to adequately protect the environment by refusing to properly train staff in their respective security duties.
Any legal ramifications would fall squarely upon management’s shoulders.
However, assume that the personnel in question indicated to management that although no paid training was available, they felt comfortable that they could perform the security functions for which they were responsible.
To demonstrate, they performed the requisite functions for IT management to demonstrate capability.
All is well until the organization is breached some months later, and confidential information is stolen.
Senior management returns to information systems management and asks the director to investigate.
During his or her investigation, he or she discovers that patching has not occurred for the past three months.
When the staff was asked about the incident, no satisfactory answer could be given.
Who would be responsible for the breach in that event?
Again, senior management is always ultimately responsible for information security within the organization.
However, senior management held the network team accountable for failing to maintain patching levels and promptly fired them from their positions.
Ensuring that a resource is properly trained can assist an organization in assigning accountability for the satisfactory completion of security tasks for which they are responsible.
The organization must also keep in mind that training should be closely aligned with security risk management activities.
In doing so, the training may result in a partial or complete offset of the risk within the organization.
Performance metrics
It is important for the organization to track performance relative to security for the purposes of both enforcement and enhancement of security initiatives under way.
It is also important for the organisation to ensure that users acknowledge their security responsibilities by signing off after each class that they have heard and understand the material and will agree to be bound by the organization’s security programme, policies, procedures, plans, and initiatives.
Measurement can include periodic walk-throughs of business unit organizations, periodic quizzes to keep staff up to date, and so on.
The author is a speaker, mentor, educator, trainer, professional & community leader, it & cybersecurity leader. For comments email: ICTMatters@kingston.co.zm; www.kingston.co.zm.