Fresh Thoughts #123: What is Security Culture?
- Newsletter
Later today, I will be a panellist on a live recording of the Cloudsoft On-Demand podcast.
During the prep call, the need to build a "security culture" came up repeatedly.
But what is a "security culture"?
And how do you build one?
Culture
The study of culture consumes the attention of anthropologists, social and political scientists, and a long list of other interdisciplinary academics.
Leading to many nuanced and niche definitions of culture.
However, my preferred working definition of culture is:
"Culture is the norms, behaviours, and the stories we tell each other."
This is undoubtedly oversimplified, but it captures the essence:
- The rules and expectations that guide behaviour within a group - our norms.
- The actions and conduct of individuals - our behaviours.
- The narratives, myths, and shared histories that convey values, beliefs, and traditions - our stories.
The idea of security rules and behaviours fits neatly within security...
"You must use multi-factor authentication."
"Do not click on a link in an unexpected email."
However, the idea of stories and narratives in security is often missed.
Our Stories
Think about a family gathering or meeting up with an old friend you haven't seen for a long while.
Inevitably, you will end up reminiscing.
"Do you remember when..."
It's likely a story you have heard many times before.
And the details may not be wholly accurate.
But it's a bit of fun.
It is something we all do - instinctively - when returning to a group.
Simply put, it is re-establishing and reinforcing the cultural bonds of the group.
Our stories and shared histories are what bring us together in a culture.
The Hard Part of Security Culture
In security, we have a good understanding of the rules and expectations.
What we should be doing...
- Best practices
- Compliance standards
- Governance
And we often know how we would like staff to behave.
But, it can feel like a chasm between the two - that only a few can cross.
This is because we don't use stories effectively.
Stories can be narratives presented at staff meetings, but this is only one aspect.
Stories can also be:
- standard operating procedures
- design patterns
- project retrospectives
- small talk at work socials
- team success stories
- ...
Most importantly, each creates shared histories conveying your business's security values, beliefs, and traditions.
Like reminiscing and repeating stories at a gathering of family or friends, stories are never told once.
They must be repeated regularly to ensure your stories foster the intended behaviours and culture.
Finally, these stories must be shared with new staff.
A fundamental desire to conform means that security behaviours will often be more readily and easily adopted by new joiners.
Long-serving staff can find a change in culture difficult.
However, long-serving staff are also the ones who will have all the near-miss and failure stories of when things went wrong...
...which can be repurposed into new security narratives and myths.
Final Thoughts
At Fresh Security, our security culture is not the dusty folder of security policies.
It is the stories we tell ourselves and each other about how we work...
At Fresh Security, we:
- Use hardware security keys for multi-factor authentication.
- Use weekly and monthly checklists to ensure tasks aren't missed.
- Use Notion to store our standard operating procedures.
- ...
These stories help us connect the governance and security best practices in the dusty folder with the daily behaviours of our team.
June 18, 20243 Minutes Read
