InfoSec 2016: Get staff onside to build a security culture

Its not security awareness, but changing behaviour that's the problem, and it takes time and effort to get it right delegates were told at InfoSec 2016.

InfoSec 2016: Get staff onside to build a security culture
InfoSec 2016: Get staff onside to build a security culture

Security-awareness is like smoking-awareness – people know that smoking kills with 100 percent awareness  – so what is important is changing their behaviour, delegates were told by Andrew Rose, CISO and Head of Cyber, UK Transport Sector at the Infosec panel today: Securing the connected human: Winning hearts and minds to drive secure behaviour.

Fellow panellist Professor Angela Sasse, director, UK research Institute in Science of Cyber Security IRISCS), UCL kicked off discussion by declaring that a major issue is that, There are multiple sites with conflicting advice and a lot of security advice out there is rubbish.”  Thom Langford, CISO, Publicis Groupe agreed, saying, “There is some very poor advice out there, and we need to reset expectations of the audience.  Security should be automatic and not even a conscious thought (so we) need a significantly different approach.”

Rose added that changing behaviour was less likely to be done by sitting people in front of an hour long power point once every six months – and shorter more frequent and effective messages, similar to 30 second advertising, might be a better approach.   Samantha Davison, Security Awareness & Education Program Manager, Uber, commented, “It's important to build security from the get go, build security into the culture and make it as instinctive as breathing.”

Despite the condemnation, when moderator David Shearer, chief executive officer, (ISC)2 held a quick poll of the audience, most were still in favour of maintaining security awareness programmes.

From perceptions, the discussion moved on through ability to perform the action, and triggers that that might be deployed to stimulate the desired behaviour.

Sasse emphasised that the advice itself needed to be actionable, and general policies applied to large organisations often don't work, so listen to your staff, see why they don't comply, change the technology so as to waste as little of people's time as possible trying to get them to do things they won't or can't do. She added, “It's not a cheap option, it's a two year exercise and you need professionals involved.”

Davison also described how staff had to be engaged, and cited a supportive approach at Uber that secured 70 percent voluntary engagement, with CEO support rather than edicts. Rose added, that while a lot of comedy or game-playing is now used to get the message across, the method has to be appropriate to the audience – the right content for the right people -  thus comedy may be seen as not appropriate to a profession like the law where they tend not be light-hearted.

Davison  agreed explaining that Uber works in 70 countries and customises and localises the content of its training whenever it can.

Langford explained that the goal should be to engender a security culture that would thus be self-sustaining and self-policing as people help each other with a culture that encourages people to do the right thing. And while it's difficult to build, such a culture lasts a long time – or without it convenience wins over security. Consequently the programme needs to focus on being convenient, as policies difficult to implement or understand will not be complied with.

He suggested that this included doing away with the culture of Security being the people who say No. They are there to help the business make money, save money or deliver their service, and not to inhibit what the company does, but be transparent about what the risks are so that decisions can be made on a business-risk basis. Sasse supported that view noting that a focus on inhibiting just drives things underground and they still happen, but without the mitigating effect of security input.

Security professionals also need to be better educated in soft skills including communication suggested Sasse, so as to encourage more positive engagement, and an approach of saying, here's the risk, we'll find a way of doing it more securely.  She was particularly keen that there should be silo-busting of specialisations and that departments work together.

Rose concluded that it was necessary to see what motivated the ‘bad' behaviour – leaving screens on etc, and see what can be done to stop it, then create your own motivators for good behaviour, liaising with communications to include in your communications plan of what, how and when to communication. Davison  urged sitting with users to understand what they are trying to do and build the programme that they want, and test users' behaviour, but users don't always need to know when they are being tested – and use A/B testing to trial different approaches. Sasse reiterated that senior executives need training to understand that security is not a tech problem to be delegated to tech people, it's a business risk that everyone on the board needs to understand. Meanwhile Langford explained that a security culture should be built on experience, and combining value and a story creates the experience – and do so using humour, drama or whatever it might be that works in your environment.