Technology won't save you from nation-state cyber-espionage, your corporate culture will.
"Every employee needs to be thinking about security the same way they think about brushing their teeth each morning," Jason Brown, national security manager for defence contractor Thales, told last week's Security 2012 conference in Sydney.
"I think security is one of the living organisms of a body. If security isn't treated as a living organism, you won't keep it in the minds and hearts of people. And the environment is constantly changing," he said.
Brown was one of several presenters who stressed the importance of security being understood at an organisation's highest level: the board and CEO. While Thales' security requirements are more critical than most organisations', it's still a matter of leading from the top.
But while the technology and compliance issues have to be covered, Brown says they're not enough by themselves.
"The [ISO] standard for IT, this 27000 series, will not protect you from the type of cybercrime that we're talking about when we talk about state-based espionage or high-level criminal attack. It's actually the culture of the organisation, the capacity for [staff] to say 'There's something wrong with this message' or 'I've got a problem with my system' and do it really quickly," he said.
A security culture has to be consciously developed.
"Sometimes security is seen as the negative connotation within corporations and really one of the big challenges is how you turn that around," said Nicholas Martin, director of risk management consultancy Occams Razor. "How do you make yourself feel relevant to the organisation?"
Martin offered six tips for developing a security culture, based on his experience in security roles including head of corporate security for Macquarie Group, general manager of security strategy for Telstra, and ten years in the Royal Australian Navy as a mine warfare and clearance diving officer.
- Developing a security culture needs real support at senior levels so it gets the focus and attention it needs. You need a specific "champion" for security in the organisation.
- You need to understand the organisation. All security programs are much the same, but corporate cultures differ widely. You must meld the security program to fit with the organisation's existing culture.
- You must articulate the plan clearly, in language everyone can understand. "A lot of security programs can't articulate what they're doing. They'll have a security policy which is full of a lot of terms and phrases that might be specific to the security program, but the broader organisation doesn't really understand what they mean," Martin said.
- Don't focus too much on risks and threats. Words like "threat", "risk", "mitigate" and so on aren't understood, and the threats change over time anyway.
- Play to your strengths, both corporate and individual. For example, in a physical distribution company, the existing understanding of the physical risks of theft can be used as a basis for understanding other risks.
- You need diversity on your security team. Don't stack it with ex-police and military people. They might work well together, but they'll become an enclave separate from the rest of the organisation.