Perry Carpenter - The Security Culture Playbook

As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization's security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:

Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)

Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization's defenses, targeting humans instead

Employees who negligently or intentionally circumvent technical controls

Employees who negligently or intentionally divert from the organization's policies, controls, and processes

The interdependency between policies, controls, and processes that exist in the physical world and those of the organization's technology-based systems

The ever-evolving ecosystem of mobile, IoT, and other new technology-based systems that your people will engage with

The reality that digital data can easily spill into the physical world (e.g., printouts, whiteboards, conversations, and so on)

Thinking about this, we can safely conclude that the human element of security will always be something that deserves intentional focus.

If you need more evidence that traditional technology-centric approaches to security are ineffective at stemming the tide of data breaches, then you owe it to yourself to have a look at Verizon's Data Breach Investigation Report (DBIR). Each year, the Verizon DBIR provides a deep analysis into the types and causes of data breaches. And each year, they find that a vast majority of data breaches are caused by some form of exploitation of the human element or by human error. For instance, the most recent report as of this writing, Verizon's 2021 Data Breach Investigation Report, found that of the over 5,250 breaches they analyzed, 85 percent involved the human element (Verizon, 2021; Sheridan, 2021).

It's time to remove our rose-colored techno-centric glasses. Technology cannot and will never block all threats that involve humans. And that's why a focus on security culture is critical.

It's time to remove our rose-colored techno-centric glasses. Technology cannot and will never block all threats that involve humans. And that's why a focus on security culture is critical. This is a rallying call to build up our human layer of defense.

Let's face it. We already know what we have to lose by not focusing on the human layer. Breaches are on the rise. Phishing is on the rise. Ransomware is more rampant and destructive than ever (Register, 2021), growing at a rate of over 150 percent in just the first half of 2021 (Seals, 2021). Cybercriminals are constantly searching for the least fortified aspects of your defenses. It's clear that technology alone will never adequately defend your organization. It's time to move beyond paying lip service to the human side of security. It's time to intentionally focus on building a healthy security culture.

Let's start off with what should be a simple question: What does the phrase security culture mean to you? In other words, if you were asked to define security culture, how would you answer?

In November 2019, KnowBe4 commissioned Forrester Consulting to evaluate security culture across global enterprises. The results were eye-opening. Forrester Consulting conducted an online survey with 1,161 respondents who all had managerial duties or higher in security and risk management. The study found that 94 percent of respondents said that security culture is important for business success (KnowBe4, 2020).

Let's face it, Ninety-four percent is big, and getting 94 percent of people to agree on anything can feel like a miracle in today's world. So, these leaders obviously place value on having a strong security culture. But here's the thing: There was no agreement as to what a security culture actually is.

In that study with 1,161 respondents, there were 758 unique definitions given for security culture. Forrester analyzed these 758 unique definitions and broke them into five different categories based on the general sentiment reflected in each of the proposed definitions. Here's the breakdown:

29 percent of respondents believed that security culture is compliance with security policies.

24 percent said that it was having an awareness and an understanding of security issues.

22 percent said that it was a recognition that security is a shared responsibility across the organization.

14 percent indicated that it had something to do with establishing formal groups of people that could help influence security decisions.

12 percent said that a good security culture meant that security was embedded into the organization.

That's a wide variety of ideas for what security culture is. And it shows the danger of not having a formal, industry-recognized understanding of what this concept really means. Just imagine being in a room where someone is talking about how critical it is to have a good security culture. Now, imagine looking all around the room and seeing virtually everyone (94 percent of the folks in the room) nodding in violent agreement. Seems like a real kumbaya moment, right? Nope. In reality, they are all agreeing to different concepts—preexisting assumptions about what they assume the speaker is referring to, but (and here's the danger) everyone believes they share the same definitional idea. Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.

Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.

At this point, you're probably asking yourself which of the five categories we most closely align with. For the most part, we believe that the 12 percent of those who indicated that a good security culture means that security is embedded throughout the organization should get the gold star. Respondents in this category made statements like, “we put security in high regard throughout the company.”

Your humble authors believe this is the most accurate representation of what a good security culture is. The definitions offered up within the other categories would naturally flow from this. Having security embedded throughout the organization and holding security in high regard will result in people following policies, having awareness of issues, and recognizing that security is a shared responsibility, and the intentional creation of groups who would serve as security advocates and liaisons.

Let's be clear. We believe that 12 percent of people offered a directionally correct response. But the other 88 percent of respondents also offered valuable insights. They offered ideas of things that we might consider evidence (or artifacts) of a good security culture.

We, as an industry, have a lot of work to do in making this idea of “embeddedness” and “high regard” something that is synonymous with how people generally define security culture. This understanding indicates much more than what surface-level security awareness can accomplish. It indicates a much deeper appreciation and value of security than simple policy acknowledgments or compliance will ever offer. This is something else—something different from the status quo.