Six tips for developing a security culture

Technology won't save you from nation-state cyber-espionage, your corporate culture will.

"Every employee needs to be thinking about security the same way they think about brushing their teeth each morning," Jason Brown, national security manager for defence contractor Thales, told last week's Security 2012 conference in Sydney.

"I think security is one of the living organisms of a body. If security isn't treated as a living organism, you won't keep it in the minds and hearts of people. And the environment is constantly changing," he said.

Brown was one of several presenters who stressed the importance of security being understood at an organisation's highest level: the board and CEO. While Thales' security requirements are more critical than most organisations', it's still a matter of leading from the top.

But while the technology and compliance issues have to be covered, Brown says they're not enough by themselves.

"The [ISO] standard for IT, this 27000 series, will not protect you from the type of cybercrime that we're talking about when we talk about state-based espionage or high-level criminal attack. It's actually the culture of the organisation, the capacity for [staff] to say 'There's something wrong with this message' or 'I've got a problem with my system' and do it really quickly," he said.

A security culture has to be consciously developed.

"Sometimes security is seen as the negative connotation within corporations and really one of the big challenges is how you turn that around," said Nicholas Martin, director of risk management consultancy Occams Razor. "How do you make yourself feel relevant to the organisation?"

Martin offered six tips for developing a security culture, based on his experience in security roles including head of corporate security for Macquarie Group, general manager of security strategy for Telstra, and ten years in the Royal Australian Navy as a mine warfare and clearance diving officer.

  1. Developing a security culture needs real support at senior levels so it gets the focus and attention it needs. You need a specific "champion" for security in the organisation.

  2. You need to understand the organisation. All security programs are much the same, but corporate cultures differ widely. You must meld the security program to fit with the organisation's existing culture.

  3. You must articulate the plan clearly, in language everyone can understand. "A lot of security programs can't articulate what they're doing. They'll have a security policy which is full of a lot of terms and phrases that might be specific to the security program, but the broader organisation doesn't really understand what they mean," Martin said.

  4. Don't focus too much on risks and threats. Words like "threat", "risk", "mitigate" and so on aren't understood, and the threats change over time anyway.

  5. Play to your strengths, both corporate and individual. For example, in a physical distribution company, the existing understanding of the physical risks of theft can be used as a basis for understanding other risks.

  6. You need diversity on your security team. Don't stack it with ex-police and military people. They might work well together, but they'll become an enclave separate from the rest of the organisation.

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Review: File Recovery Tools

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.