A Year of Security Culture in Review

Written by

2017 is nearing an end. It has been a very interesting year from a security perspective, with new record-breaking incidents, ransomware grinding organizations large and small to a halt, and more blaming of the human factor for all the faults of security.

It is not all bad, though. 2017 saw more interest in understanding security culture than previously, increasingly moving from academic research facilities into boardrooms and management at organizations of all sizes. 

A growing number of people are working hard to improve the people-side of security. In June this year, the annual Security Culture Person of the Year award was awarded to Martine van der Merwe and Chris Karelse by the Security Culture Community for their important work with creating the 300 large security culture user group in Amsterdam, proving a growing interest in improving the human factor for their member organizations.

Earlier the same month, Infosecurity Europe 2017 put security culture on its program by way of a half-day workshop on how to measure security culture, a workshop that saw participants from across Europe and the Commonwealth attending, discussing and learning how to measure and improve the secure behaviors of their employees. 

In May 2017, we saw the publication of the Security Culture Report 2017: Indepth Insights into the Human Factor, a research report surveying 10,000 employees in the financial sector on their security culture. The report has a number of interesting finds, for example how gender differences matters when it comes to risk acceptance and management.

2017 also has seen a whole new level of marketing blah-blah. In a previous post on this blog, I discussed how two different companies, in the same industry, told two very different stories with numbers, and I asked for more clarity, facts and science, and less anecdotal proof, emotions and scaremongering.

We, as an industry, need to up our game on credibility if we are to succeed in improving security on the human factor. If we insist on pushing marketing that is flawed, false or even fabricated, while at the same time we are claiming to be a trust-based industry, I don’t see how we will build that trust. At least in my world, trust is deserved, it is not built on top of lies. 

There is no doubt in my mind that the human factor is a major key in improving security. I believe we have a responsibility to use that as a strength instead of using it as an excuse as today.

Therefore, I am very happy to see the growing interest in security culture around the world, with initiatives like the SANS Awareness Summit, the Human Factor Podcast and many more where knowledge, experience and ideas are being shared and explored. Is it enough? Not at all. I am betting on 2018 being even better! 

What’s hot on Infosecurity Magazine?