Security culture was named the number one hot topic in the ClubCISO live vote this year, and it didn't surprise me. A few years ago, security awareness was the most popular kid in class, but recently there has been an acknowledgement that awareness alone is unlikely to deeply engage people in cybersecurity or even necessarily positively influence behaviours - unless it is part of a positive cybersecurity culture.
Edgar Schein, Professor Emeritus at the MIT Sloan School of Management, is a well-known theorist working with organisational culture. He discusses organisational culture as referring to the values and beliefs that establish norms of expected behaviours that employees might follow (Schein, 1992, Organizational Culture and Leadership). This definition makes it clear why culture is so important to security, because whether you have a positive or negative security culture will have a huge impact on what people in your organisation recognise as normal and accepted behaviour, which in turn will influence how they themselves behave.
In a keynote yesterday at the University of Kent Cyber Security Forum, I refered to the importance of culture in cybersecurity. Over lunch, a couple of people asked me some follow-up questions so I thought it would be worth capturing my thoughts in this blog post and video.
I mention security champions in the video, check out this blog post for more about running a champions programme. If you're interested in understanding more about the work we at Cygenta do on security culture, check out some of our services on the human side of cyber security.