A microscopic beginning to developing a security culture in your organisation

Sometimes the most valuable sources of information are not what you might expect.

For example, to better understand how to protect your organisation’s most valuable information from impending threats you will need to develop a security culture, and borrow some ideas from one of the most amazing cultures on the planet. I am referring to a culture that is approximately 100 million years old, entailing a species that survived through times when the dinosaurs surrendered; a culture that is best described as a collective in which each member has a part to play; a culture that relies upon ongoing communication; and a culture that you undoubtedly would have encountered many times when outdoors simply by looking around your feet as you tied your shoelaces. If you have not figured it out by now, I am speaking of “ants”.

Culture is best defined as a behaviour of a society, and ants have a society… well, a colony to be exact which can stretch for thousands of kilometres and include millions of ants. Though ants, even of varying species, may look much alike, in their culture their behaviours are determined by roles such as queen, nurse, carpenter, soldier, scout and worker, etc.

Did you know that ants are the only non-mammalian species that provide training to younger members of the species about their role? Younger members of a colony are taught by more experienced ants how to locate food; how to carry it; and how to enter battle and will adjust the pace of the training process to suit the learner.

In order to instigate a security culture in your organisation you will also need a flexible training program that will teach less knowledgeable users how to identify security threats; what an insider threat looks like; and what to do when a threat is discovered. One of the most dangerous situations is the employee in your organisation who thinks they know something about security, when he or she does not. Create the right kind of culture that rewards learning and development and gives each user a role to play in the growth and protection of your organisation.

Have you ever found ants in your home? You may have been lucky to spot one or two, taken some kind of evasive action and had no further problems. If you didn’t then you may have awoken to find those first few ants, known as “scouts”, when undetected, have left a scented trail for “workers” to come and find food supply, perhaps the leftovers from last night’s dinner, and you would have been inundated by ants. What happens here is that the ants successfully use teamwork to identify a food source, determine if the risk of helping themselves to it is low and then commence an operation to harvest it for themselves.

Your organisation can also use a similar strategy to protect your most valuable information sources simply by having everyone work together. When I say everyone, I mean just that. Information security is not just the role of the information security team, but the role of everyone that interfaces with information. Having a security culture that empowers collaborative efforts will be far better placed to respond in force when a threat is in progress. Too many organisations expect the information security team to be on the lookout for a battle, go to battle and then perform the clean-up operation. An army of many will always be more victorious over an army of just a few.

You do not need to be able to carry fifty times your body mass or grow an additional four legs to behave like an ant. Just taking on board a few of the wisdoms that ants have developed over their 100 million or so years scurrying across the ground, will help your organisation develop a security culture and provide a stronger defence against impending threats.

Stay tuned for my next post in which I will give away some ideas on how to start developing a security culture in your organisation. ____________________________________________________________________________________

About the author:

Andrew Bycroft is a prolific writer, blogger, strategist, advisor, and presenter, and strives to challenge the status quo in information security in order to help organisations develop a successful and strategic approach to security centred around risk as opposed to the problematic and traditional tactical approaches to security determined by budget, technology or compliance.

Andrew’s career spans close to 20 years having been engaged to consult, design, deploy, train and manage all manner of complex technologies and develop creative solutions to address a variety of threats. Andrew is most commonly known for his unique talent of conveying the complex messages of security in language that both technical and executive level audiences can comprehend. Andrew has also developed and delivered course material for half day and full day workshops at a number of industry events covering topics such as governance, risk and compliance, PCI DSS, BYOD, VoIP security, cloud security and threat awareness.

Andrew is the founder and lead security strategist at The Security Artist and is recognised as one of Asia Pacific’s pre-eminent security advisors and consultants.

Join the CSO newsletter!

Error: Please check your email address.

More about Andrew Corporation (Australia)VoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Bycroft

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place