Some organizations deliberately foster an environment of inclusiveness and engagement among their members. These organizations want everyone to feel connected to not only the entire enterprise, but also their individual roles and responsibilities. When such inclusion and shared values extend to security, you have a Trust security culture. This culture emphasizes the need to look at security as a shared responsibility, because everyone in the organization shares in security risks. To achieve this mutual dependence and support, Trust security cultures put a lot of effort into training and educating people to understand what security means to them, and how they can contribute to the overall protection of the enterprise.
What Is a Trust Security Culture?
A Trust security culture combines an internal focus on the people and behaviors living within the organization with an attitude toward control that seeks to empower and engage everyone, whether or not they are directly involved in information security operations. These organizations score strongly in the bottom left quadrant of the Competing Security Cultures Framework model.
If your organization has a Trust security culture, you probably have a lot of interaction with the security program, maybe through a robust security training, awareness, and culture (STAC) program. Security is unlikely to be something you only hear about once a year when it’s time to undergo mandatory security training in the form of a video or some slides. Instead, you probably see lots of reminders in your daily work life that security is important. You may also receive specialized training on how to avoid certain kinds of problems, from phishing to tailgating. You may even enjoy games and contests in which you can compete with peers, earn points and badges, or win prizes for doing things more securely or identifying security problems in your organization.
Trust security cultures put a lot of effort and resources into making sure that people have the appropriate skills to manage security challenges successfully. They emphasize sharing and collaboration, in terms of both ideas and activities. Senior management often sets the tone by vocally supporting information security as a strategic enabler and then providing more concrete support in terms of people and money for people-centric programs. A Trust security culture seeks to instill just that: trust that people know how to, and will, do the right things security-wise. At the same time, users trust that the organization is helping them build better skills and knowledge, and that security is something to be proud of and not just a way to get people in trouble for their activities.
Core Values, Strengths, and Weaknesses of Trust Security Cultures
Trust security cultures tend to value participation and a shared sense of commitment over security policies and rules and penalties for not following them. The fear of insider threats is less prevalent in these cultures because of shared values and priorities. People see themselves as part of a group or community, and hurting that community only hurts themselves and those they care about. To make the community more secure, the people in it must also get better at security. The organization does its part by providing guidance and mentoring, and concentrating less on criticizing and punishing.
Trust security cultures can result in very strong and robust security environments. By leveraging everyone in the organization and extending security awareness and knowledge, they foster the creation of a “cultural firewall” that can be as effective as their technological controls, working in concert with the IT infrastructure to protect it in real time. Organizations that have well-functioning Trust cultures around security often see fewer losses, better employee satisfaction, and higher competitiveness among their peers.
Trust security cultures exhibit weakness in that they can be more difficult to build. Transforming cultural values and beliefs is always harder than plugging gear into the data center, regardless of whether it is more effective in the long run. Trust security cultures also suffer in organizations where there is not a lot of standard process to guide and drive good behavior. The engines of a trust culture are awareness and shared responsibility, which require solid policies and process on which to model one’s activities. Trust cultures that engage and educate everyone in the organization, and keep those levels of skill and commitment high, require significant buy-in and support from senior management down. They cannot simply be mandated from above, but must be earned by hard work and careful planning. People have to feel truly engaged with security and must be rewarded for their participation in protecting the company. If the organization’s members feel like they are being talked down to or that the organization is only paying lip service to involving them and improving their skills, a Trust security culture may not only fail, but also leave things worse off than before.
Where Do You Find Trust Cultures?
Trust security cultures are not unique or even specifically common to a particular industry or company. Instead, they are found wherever an industry, company, or organization has decided to leverage its people as a means of security improvement side by side with other sources of security value, such as technology systems.
Trust security cultures are often found in organizations that have already made commitments and investments to human capital and talent management, putting emphasis and priority on maximizing the effectiveness of their people and giving those people the means by which they can be more successful. Training, opportunities for growth, and a sense of being part of something larger are all powerful techniques by which people-centric organizations seek to make themselves stronger and more competitive. In a Trust security culture, those same principles have been applied to protecting and securing the organization’s business and information systems and assets.
Security Training, Awareness, and Culture (STAC) Teams – Unlike with other culture types, there are no particular industries that favor or promote Trust security cultures over others. Instead, these cultures are most typically found where STAC is prioritized and provided resources and funding to ensure success. Organizations with strong, committed security awareness programs often most reap the benefits of the Engagement security culture, regardless of the industry in which they operate.