A microscopic beginning to developing a security culture in your organisation

Sometimes the most valuable sources of information are not what you might expect.

For example, to better understand how to protect your organisation’s most valuable information from impending threats you will need to develop a security culture, and borrow some ideas from one of the most amazing cultures on the planet. I am referring to a culture that is approximately 100 million years old, entailing a species that survived through times when the dinosaurs surrendered; a culture that is best described as a collective in which each member has a part to play; a culture that relies upon ongoing communication; and a culture that you undoubtedly would have encountered many times when outdoors simply by looking around your feet as you tied your shoelaces. If you have not figured it out by now, I am speaking of “ants”.

Culture is best defined as a behaviour of a society, and ants have a society… well, a colony to be exact which can stretch for thousands of kilometres and include millions of ants. Though ants, even of varying species, may look much alike, in their culture their behaviours are determined by roles such as queen, nurse, carpenter, soldier, scout and worker, etc.

Did you know that ants are the only non-mammalian species that provide training to younger members of the species about their role? Younger members of a colony are taught by more experienced ants how to locate food; how to carry it; and how to enter battle and will adjust the pace of the training process to suit the learner.

In order to instigate a security culture in your organisation you will also need a flexible training program that will teach less knowledgeable users how to identify security threats; what an insider threat looks like; and what to do when a threat is discovered. One of the most dangerous situations is the employee in your organisation who thinks they know something about security, when he or she does not. Create the right kind of culture that rewards learning and development and gives each user a role to play in the growth and protection of your organisation.

Have you ever found ants in your home? You may have been lucky to spot one or two, taken some kind of evasive action and had no further problems. If you didn’t then you may have awoken to find those first few ants, known as “scouts”, when undetected, have left a scented trail for “workers” to come and find food supply, perhaps the leftovers from last night’s dinner, and you would have been inundated by ants. What happens here is that the ants successfully use teamwork to identify a food source, determine if the risk of helping themselves to it is low and then commence an operation to harvest it for themselves.

Your organisation can also use a similar strategy to protect your most valuable information sources simply by having everyone work together. When I say everyone, I mean just that. Information security is not just the role of the information security team, but the role of everyone that interfaces with information. Having a security culture that empowers collaborative efforts will be far better placed to respond in force when a threat is in progress. Too many organisations expect the information security team to be on the lookout for a battle, go to battle and then perform the clean-up operation. An army of many will always be more victorious over an army of just a few.

You do not need to be able to carry fifty times your body mass or grow an additional four legs to behave like an ant. Just taking on board a few of the wisdoms that ants have developed over their 100 million or so years scurrying across the ground, will help your organisation develop a security culture and provide a stronger defence against impending threats.

Stay tuned for my next post in which I will give away some ideas on how to start developing a security culture in your organisation. ____________________________________________________________________________________

About the author:

Andrew Bycroft is a prolific writer, blogger, strategist, advisor, and presenter, and strives to challenge the status quo in information security in order to help organisations develop a successful and strategic approach to security centred around risk as opposed to the problematic and traditional tactical approaches to security determined by budget, technology or compliance.

Andrew’s career spans close to 20 years having been engaged to consult, design, deploy, train and manage all manner of complex technologies and develop creative solutions to address a variety of threats. Andrew is most commonly known for his unique talent of conveying the complex messages of security in language that both technical and executive level audiences can comprehend. Andrew has also developed and delivered course material for half day and full day workshops at a number of industry events covering topics such as governance, risk and compliance, PCI DSS, BYOD, VoIP security, cloud security and threat awareness.

Andrew is the founder and lead security strategist at The Security Artist and is recognised as one of Asia Pacific’s pre-eminent security advisors and consultants.