build a security culture - news.asis.io a secuirty culture...build a security culture ... his...

Download Build a Security Culture - news.asis.io  a Secuirty Culture...Build a Security Culture ... his precious time to review the manuscript and concept for the book. ... resource on the Security Culture Framework community

Post on 15-Mar-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • BuildaSecurityCultureKaiRoer

  • BuildaSecurityCulture

    KAIROER

  • Everypossibleefforthasbeenmadetoensurethattheinformationcontainedinthisbookisaccurateatthetimeofgoingtopress,andthepublisherandtheauthorcannotacceptresponsibilityforanyerrorsoromissions,howevercaused.Anyopinionsexpressedinthisbookarethoseoftheauthor,notthepublisher.Websitesidentifiedareforreferenceonly,notendorsement,andanywebsitevisitsareatthereadersownrisk.Noresponsibilityforlossordamageoccasionedtoanypersonacting,orrefrainingfromaction,asaresultofthematerialinthispublicationcanbeacceptedbythepublisherortheauthor.

    Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,aspermittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced,storedortransmitted,inanyform,orbyanymeans,withthepriorpermissioninwritingofthepublisheror,inthecaseofreprographicreproduction,inaccordancewiththetermsoflicencesissuedbytheCopyrightLicensingAgency.Enquiriesconcerningreproductionoutsidethosetermsshouldbesenttothepublisheratthefollowingaddress:

    ITGovernancePublishing

    ITGovernanceLimited

    Unit3,CliveCourt

    BartholomewsWalk

    CambridgeshireBusinessPark

    Ely,Cambridgeshire

    CB74EA

    UnitedKingdom

    www.itgovernance.co.uk

    KaiRoer2015

    TheauthorshaveassertedtherightsoftheauthorundertheCopyright,DesignsandPatentsAct,1988,tobeidentifiedastheauthorofthiswork.

    FirstpublishedintheUnitedKingdomin2015

    byITGovernancePublishing

    ISBN978-1-84928-719-7

    http://www.itgovernance.co.uk
  • ACKNOWLEDGEMENTS

    ThisbookisthedirectresultofmyengagementanddevelopmentoftheSecurityCultureFramework.All the peoplewhohave been involved in the development anduse of theframeworkaremyinspirationtowritethisbook.

    TheSecurityCultureFrameworkissomethingthatevolvedinmymindaftermanyyearsofwatchingsecurityawarenesstrainingprogrammesbeingrunseeminglywithoutcontrol,metrics andproperplanning.Discussing the topicwithLarsHaug,wequicklycameupwiththeconceptofaholisticframeworktohelpbuildandmaintainsecurityculture.TheframeworkgainedinterestinboththeUSAandEurope,withinboththepublicandprivatesectors.Financialinstitutions,universitiesandmanyothersusetheframeworktoday.

    RoarThon,attheNorwegianNationalSecurityAgency,isoneoftheveryfewexpertsonsecurityculture.Hisinput,questionsandsupportarealwayshelpful,andhisgenerosityisoutofthisworld.MoAmin,aLondon-basedsecurityconsultant,dedicatedmanyhoursofhisprecioustimetoreviewthemanuscriptandconceptforthebook.AminisalsoakeyresourceontheSecurityCultureFrameworkcommunity,andaninspirationtofollow.Mythanks also to Wolfgang Goerlich for his helpful comments and feedback during thereviewprocess.

    A special note to Michael Santarcangelo, who provided deep insights through hisquestionsandideas.Ithankyou,sir!

    NumerousdiscussionsaboutsecurityawarenessandculturewithfinefolkssuchasJavvadMalik, Thom Langford, Quentyn Taylor, Trond Sundby, Rune Ask, Troy Hunt, JoshuaCorman, Per Thorsheim and Brian Honan helped me gain an understanding of whatsecurity culture is, and how to best bring it about.We may not always agree, but wecertainlydolearn!

    ThisbookwouldneverhavebeenwereitnotforJoePettitatInformationsecurityBuzz.Hisintroductionsandcontinuedsupporthasbeenvital.VickiUttingatITGovernancehasbeenagreatassetwhenItoremyhairoutoverwritingthisbook.

    Totheinformationsecuritycommunityworldwide:thankyouforkeepingmeontheedge,forchallengingmyassumptionsandforkeepingmesafe!

    Most importantly, thank you tomy dearwife,Karolina, and Leo,my son.You are thelight.

  • ABOUTTHEAUTHOR

    KaiRoerisamanagementandsecurityconsultantandtrainerwithextensiveinternationalexperiencefrommorethan30countriesaroundtheworld.Heisaguestlectureratseveraluniversities, and the founder of The Roer Group, a European management consultinggroupfocusingonsecurityculture.

    Kai has authored a number of books on leadership and cybersecurity, and has beenpublished extensively in print and online, and has appeared on radio, television andfeaturedinprintedmedia.HeisacolumnistatHelpNetSecurityandistheCloudSecurityAllianceNorwayChapterPresidentsince2012.

    Kai is apassionatepublic speakerwhoengageshis audiencewithhis entertaining styleanddeep topic knowledgeof humanbehaviours, psychology and cybersecurity.He is aFellowoftheNationalCybersecurityInstituteandrunsablogoninformationsecurityandculture(roer.com).KaiisthehostofSecurityCultureTV,amonthlyvideoandpodcast.

  • FOREWORD

    Mayyouliveininterestingtimesisanoldsayingandonethatiscertainlyapplicabletocybersecuritytoday.Astheunfoldingeventsofthepastfewyearshaveshownus,weareindeedlivingininterestingcybertimes.Theevolvingcyberbreachesofeverysector,beitretail, government, education, financial or others, have been the main focus of thetechnology conversation this entire year. Big box retailers have been hacked, sensitivedataatbanksbreached,andnationstatesstandreadytowagecyberwarfare.

    WehavedevelopedcomputersandtheInternetandattachedmanyofthemostimportantaspectsofourlivestoit.Nowwefindthoseconnectionsareatriskduetotheactivitiesofbadactorsbentonmaliciousactivity.Wetrytodefendourdigitalsystemswithproperlyconfiguredsoftandhardware,butintheenditisoftenapeopleproblemthatpermitsalarge portion of the breaches we read about. People are just not following appropriateprocedurestherebyallowingimproperaccesstosystems.Asmanyareaware,thebestwayto reducehuman errorswe encounter is through effective education and training.Sadlysucheducationandtrainingaroundtheglobeisspottyatbestandoftenwhollyinadequate.

    Withthisbook,KaiRoerhastakenhismanyyearsofcyberexperienceandprovidedthosewithavestedinterestincybersecurityafirmbasisonwhichtobuildaneffectivecybersecuritytrainingprogramme.Thisrequireschange,andunderstandinghowthecultureofanorganisationneedstochangetobeeffectiveisvitalforcybersuccess.Eachchapterisfilledwithvaluableinsights,examplesandintuitivethoughtsbasedonhisexperiencesthatcaneasilybe transferred to theworkplace.Assystemadministratorsscramble tohardentheirrespectivedefences,thisworkcouldnthavecomeatabettertime.Anyoneobtainingthisbookwillfinditavaluableandinformativeread.

    Dr.JaneLeClair

    ChiefOperatingOfficer

    NationalCybersecurityInstitute,Washington,D.C.

  • CONTENTS

    Introduction

    Culture:Doesithavetobesohard?

    Chapter1:WhatIsSecurityCulture?

    Chapter2:TheElementsofSecurityCulture

    Chapter3:HowDoesSecurityCultureRelatetoSecurityAwareness?

    Attention

    Retention

    Reproduction

    Motivation

    Chapter4:AskingforHelpRaisesYourChancesofSuccess

    Chapter5:ThePsychologyofGroups,AndHowtoUseIttoYourBenefit

    Chapter6:MeasuringCulture

    Chapter7:BuildingSecurityCulture

    Metrics

    UsingSMARTgoals

    TheOrganisationpart

    Topics

    Planner

    SettingupyourorganisationtousetheSecurityCultureFramework

    Chapter8:TimeIsonYourSide

    ITGResources

  • INTRODUCTION

    Culture:Doesithavetobesohard?Inthisbook,Ilookatorganisationalculturewithinformationsecurityglasses.Inmyyearsof working in the information security industry, I have come across a number ofchallenges: technical, compliance, and increasingly awareness and security behaviour.Throughmytravelsandcompanyactivities,Ihavelearnedthatalotofsecuritybehaviourchallengesareuniversal:preparinginformationsecurityinformationinsuchawaythatitresonatesandmakessensefornon-securitypeopleisachallengenomatterwhichcountryororganisationyouworkin.

    I have also learned that someorganisations arebetter at creating the securitybehaviourtheywant.Lookingatwhattheydodifferently,Ifoundthattheyapproachtheworkwithsecurityawarenessasaprocess.Theyalsorespectthatsecuritycompetenceisexactlythatacompetencethatmustbelearned,notjustsomethingyoutell.

    From more than two decades of professional training and consulting in more than 30differentcountries,Ihavealsocometolearnthatifwewantpeopletolearn,weneedtofacilitate learning together with them. Lecturing alone is not creating results. Readingalonemakesforverylittlechange.ThesayingoftheAssociationforTalentDevelopment(ATD1)thatTellingaintTrainingisverytrue.IttookmesometimetorealisethatItoohadtolearnhowtotrainpeopleproperly,arealisationthattookmeonarollercoasteroflearning, exploration and self-development, leading me to develop my training andcommunicationskillsacrossbothlanguagebarriersandculturalbarriers.

    Themost important thing I learned in theseyearswas tobehumble.HumbleaboutmyownperspectivesImaythinkIamright,andImayhavealltheexperiencetotellmeIamright,butimplantmeinTunisiaorJapanandmostofmyperspectivesandexperiencein treating and communicatingwithpeople no longer hold. I learned this thehardway,leadingmetorealisethattherearemorewaysofdoingthingsthanIfirstaccountedfor,and that others may achieve great success by choosing a different path than the one Ichose.

    Thesameistruewithorganisationalculture.Therearemanywaysofbuilding,changingand maintaining organisational culture. It is one of those areas where scientists andpractitionersstillargueabouttherightapproach2.Myexperienceisthattherightapproachdependsoneachcase.Everyorganisation isuniqueandcomeswith itsowncultureandsubcultures.Somearegreat,somereallypoor.Allofthemimpactthebehaviour,ideasandthoughtsoftheemployees.Thequestionbecomes:howdowetakecontrolofthatculture?

    As luck has it, there are processes andmethods to apply when youwant to build andmanageculture.Insteadoftryingtocomeupwitheverythingyourself,youcanlearnfromframeworksliketheSecurityCultureFramework3.Usinga frameworkgivesyouaclearpath with checkpoints and actions that ensure your efforts are moving in the right

  • direction.This isnot to say thatchangingculture iseasy,nor fast: itmay requiremanysmallstepsiteratedovertime.Usingastructuredapproachhelpsyoutodotherightthingsattherighttime,makingsuccessmorelikely.

    Thebookconsists