Widespread trust and freedom of choice are not values one often expects to find when it comes to cyber security—at least not on the part of the people and teams responsible for protecting it. But security culture is not only limited to security program teams. Outside the security team, the organizational culture is often one of community and inclusion rather than paranoia or constraint. If you’ve ever worked in an organization that considered itself “a family,” then you’ve experienced a general culture of engagement. This Engagement culture can be quite challenging to manage if you are the CISO or security owner, at least using traditional methods.
What Is an Engagement Security Culture?
Engagement security cultures combine the traits and values of Autonomy and Trust security cultures in the context of the Competing Security Cultures Framework. The prime directive becomes one of empowering people in the belief that they will use their skills and judgment to do what is best for the organization. Many security professionals may scoff and consider this a recipe for failure. The irony is that most people, including security professionals, would prefer to work in an organization that is inclusive and empowering over one that is stifling and mistrustful of its members, and most companies aim for an engaging corporate culture. As a result, an Engagement security culture is often the security culture that exists outside of the corporate security team, with one or two exceptions.
If your organization has an Engagement security culture, one of two things probably occur with some frequency. First, if the culture exists outside of the enterprise security team, there is likely to be regular tension between those responsible for security and those elsewhere in the organization. Most security organizations value control above other things, and if they are trying to do their jobs in an environment where everyone else values freedom, there are bound to be conflicts. Second, if the culture is shared by some or all of the enterprise security team, then your organization is likely to have a robust and well-funded security training, awareness, and culture (STAC) program. STAC programs are the embodiment of Engagement security culture in most organizations. Where STAC is weak, compliance focused, and underfunded, security engagement is likely to be low. Where STAC is strong, the company is more likely to have a robust security culture that extends across the organization.
Core Values, Strengths, and Weaknesses of Engagement Security Cultures
Engagement security cultures tend to believe that people are as important to good security as process or technology, and not only in a negative way as with traditional “insider threat” narratives. Organizations with cultures of security engagement understand that human capital is a critical enterprise resource and must be cultivated in all business areas, including the use and protection of technology assets. Security risk in these cultures is seen as shared, rather than owned or managed by a single group. The goal then becomes one of involving everyone in reducing and managing risk, and giving them the skills, knowledge, and tools to do that.
When done right, the key strength that an Engagement security culture brings to an enterprise is that of a force multiplier. In a highly mature and functional culture of engagement, the security team calls on an extended force of resources—a “cultural firewall,” if you will—that amplifies and complements other operational security activities. In an Engagement security culture, people tend to think more about the security implications of their decisions, report problems and concerns more often, and make fewer security mistakes. This can significantly reduce loss and increase the effectiveness of enterprise security overall, but this requires effort and does not happen in a vacuum.
When done wrong, Engagement security culture weaknesses can put an organization at major risk. Without the guidance and support of security owners, an Engagement security culture may simply ignore or discount security out of a lack of awareness and a desire for trust and community. Poorly architected Engagement security cultures are not simply looking for complete freedom to do what they wish. They are most often the product of workforce that is undereducated in terms of security and has not made security a key value in their daily lives. Naturally, in such situations, security mandates that restrict choice, make sharing and collaborating more difficult, or seem to be punitive and paranoid are resisted. This can result in policy violations, political infighting, and poor decision making from top to bottom, all growing the space in which security failures are more likely.
Where Do You Find Engagement Cultures?
Engagement security cultures are found in most organizations. In many cases, they represent the generalized attitudes toward information security that exist the further one gets from the security program team. When security owners reach out to coach, train, and mentor people throughout the organization, then security engagement is strong and people understand and incorporate good security habits into their working routines. In cases where the STAC capabilities are weak, security engagement across the board also tends to be weak, and people often push back against or ignore security because they do not understand the value it brings to them or their organizational community.
Security Training, Awareness, and Culture (STAC) Teams – Unlike other culture types, no particular industries favor or promote Engagement security cultures over others. Instead, these cultures are most typically found where STAC is prioritized and provided resources and funding to ensure success. Organizations with strong, committed security awareness programs most often reap the benefits of the Engagement security culture, regardless of the industry in which they operate.