After we first met Aimee Laycock in July, we wanted to get a better understanding of how companies evaluate their metrics, and realize the need to measure cultural change inside the organization.
How can companies achieve a security culture?
All organizations have a culture of security, but in some organizations, the culture may be unsupportive and ineffective. Security culture is part of the organizational-culture as a whole. Whilst some companies have a wide risk appetite, others are more prudent: some are collaborative, and others siloed. Some prioritize customer service, whereas others focus on maximizing their bottom-line.
None is right or wrong. The point is that information security must fit within the company’s way of doing business and, therefore, the first step should be to understand the company’s risk appetite, its business objectives and assess the current state of their security culture.
How they can measure it?
There are several ways:
- They can rely on assumptions, impartial information, or opinions. The obvious issue with this is that the results are not fact-based, do not tell the whole story, and will be biased. This more-or-less equates to doing nothing.
- They can use consulting, which may generate a lot of interesting reports, but it’s expensive and time-consuming. The result is a report that has limited uses and lacks actionable results that can be used across organizations reiteratively.
- They can follow best practice and use recommended tools. This ensures that a standard in measurement is applied, producing reliable metrics that can be repeated over time to yield standardized, time-based data. Moreover, such tools allow the data collection and analysis process to be automated, saving time and money. ENISA recommends using the CLTRe Toolkit. It yields detailed and comparative results from across the entire organization which also have wide-ranging operational uses.
Security culture benchmarking provides insight into how culture maturity compares
How is it done?
Security culture is measured across seven dimensions – attitudes, behaviors, cognition, communication, compliance, norms and responsibilities. Each dimension has its own distinctive qualities that can be quantified and used to map out the security culture across the organization.
Security culture benchmarking provides insight into how culture maturity compares, for example, companies can compare their overall score by industry, geography and size of business. Having a map of the security culture in their own organization also allows for comparison between different departments and teams, which means they can really see what is going on internally and get detailed, actionable information from within their organization.
Why should a company do continuous measuring?
Culture is elastic. It changes continuously. In order to track its changes, and the effectiveness of efforts to positively influence it, companies need to use a fixed set of metrics that fully, accurately and reliably describe and define the security culture at any one point in time.
Then, (with a reliable and accurate method of measuring culture that is fixed and repeatable,) we can then create a benchmark measurement and compare the results. Unless we can compare the results – for example, between teams and departments, between companies and industries, and over time – we cannot yield any meaning from any of it.
What do they do with the results?
The best way I can think of to answer this is to give a few examples of how our customers use their results:
Example 1 – Communication
One of our bank customers used our tool to investigate how security is communicated within their organization and discovered that the employees did not talk about security positively. They used the insights delivered by our tool to identify in which business areas employees tended to complain about technical controls getting in the way of their work.
Using this information, they created a targeted cybersecurity communication strategy that enabled them to use the assessment tool itself and turn the negativity into positive communication about security. In doing so they saw an organization-wide improvement in attitudes towards security, an increase in positive engagement and a reduction in risky behaviors.
Example 2 – Engaging the employees
One of our customers in the ICT-sector, used our tool to document their employees’ attitudes towards cybersecurity, and discovered that their sales teams thought security was negatively impacting their performance. The company reviewed their business model and created a new sales strategy (and new sales arguments) in which cybersecurity was a key selling point.
By doing so, their salesforce learned how important cybersecurity is for their customers, which influenced their own attitudes towards security, resulting in an improved security culture overall within the sales teams, and was also attributed to improved sales performance.
Example 3 - Due Diligence
One of our customers is a large, global industrial company, which grows by acquisition. They needed a way to compare the security cultures of their existing companies with those they newly purchase. They use the baseline measurements to compare the security cultures as part of their due diligence to understand how compatible the new company is for them.
They plan to continue using our tool to monitor how security culture changes throughout the transformations and internalization of these companies moving forward.
Example 4 - Comparing across countries
One of our customers has offices in 12 countries, using eight different languages. When they used our product to measure, they discovered variances in the security cultures between the offices. In particular, one office stood out on behaviors, compliance and norms.
The customer created an improvement program specifically for this office and are starting to see noticeable improvement in its security culture. By measuring first, they were able to target a specific group of employees in one location and tune their activities to their unique needs, which proved to be a more effective and cost-saving measure.