Lessons Learned: Feeble Security Culture Disconnected from Business Objectives Webinar

February 20, 2021 | 5 Minute Read

Within the last year, I was introduced to the SANS Institute free live webinars they provide. Fortunately, they post these informative sessions on YouTube for people like me to enjoy after they are over. And yesterday, I was especially drawn to a webinar titled “Feeble Security Culture Disconnected from Business Objectives Webinar” in their Transformational Cybersecurity Leader series. It wasn’t the usual technical topic I usually would attend, but I learned an important and timely lesson.

Background

I recently finished reading Kevin Mitnick’s “The Art of Deception,” which is full of stories about people working in organizations that we exploited through social engineering attacks. One of the main countermeasures Mitnick preached throughout the book was the importance of security and awareness training to protect the business and work they conduct. It was also convenient that I finished reading the book last week that the SANS Institute has just put out the recording from the webcast presented by Lance Spitzner and Russell Eubanks.

During this webinar, they discuss that there have been massive strides in technology security over the last two decades, however, not in human security. Every organization should understand they can buy all the best security tools globally. Still, it won’t matter if there isn’t a strong security culture.

Security Culture

Spitzner and Eubanks define security culture as functionally the same as culture in any other context, “Not only people’s actions and behaviors but their shared beliefs, values, norms, and perceptions.”

An organization’s culture defines what is encouraged, discouraged, and accepted/rejected by its members. A security culture is the shared beliefs, values, and attitudes that an organization’s members have towards security.

I believe this was a critical component that was missing from the Mitnick book, because as the presenters noted, “the stronger your security culture, not only will your workforce be more secure, but more likely your security initiative will succeed.” All the policy, training, and awareness in the world don’t matter if there isn’t any buy-in from your organization’s members to the security culture.

Building a Strong Security Culture & Indicators

For training and policies to be effective, all members, not just security personnel, need to be committed to security. So Spitzner and Eubanks discussed how they built on research conducted by multiple disciplines like the communications, human resources, and leadership fields to build more robust security cultures. One of the main methods the presenters brought to the presentation from their studies was using the Golden Circle from Simon Sinek.

The Golden Circle method explains the why, then how, and finally the what. One of the issues Spitzner mentions during the course is how the “curse of knowledge” in the security community keeps us (especially the more technical members) from explaining concepts in ways that reach and our audience understands. The Golden Circle method breaks down an easy way to explain why, how, and what a new security policy or product is and its impact on their area of the organization. That makes it personal, brings it to a level that is easy to understand, and shows the unique benefits/incentive to follow the new procedures.

Once the process has begun to build that security culture, the instructors outline some indicators organizations can use. One of the indicators that stuck out to me that an organization was making a strong security culture was member’s comfort level approaching security team members. Russell Eubanks referred to a “Cafeteria Test,” meaning that if he could walk into a busy lunchroom on his job, his coworkers would feel comfortable coming to him with their comments, questions, and concerns. Both instructors argued that in a strong security culture that all members should feel comfortable and encouraged to approach the security team about anything, even incidents that they have caused.

Conclusion

At the beginning of the webinar, Spitzner called out a common phrase in the security community, “You can’t patch stupid.” This approach places the blame on the members, but Spitzner suggests that we instead think like this, “People are not the weakest link - they are the primary attack vector.” Therefore, shifting the responsibility equally to the members and the security professionals to protect themselves and the organization.

As a technical security member, I think this was an important lesson to learn. After attending this webinar, it showed me the importance of fostering a strong security culture that encourages and promotes the idea that security is everyone’s job. I also learned that to get buy-in, security needs to be digestible and personal to members. This communication must be in terms that everyone can understand (not just technical jargon) and applying it to their situations.

This series was a fantastic so far, and I’m excited to see the last installment on Wednesday, Feb. 24th at 12 PM EST for anyone wondering if you would like to see the previous lessons in the SANS Cybersecurity Leadership - Transformational Cybersecurity Leader Triad Series playlist feel free to check it out!

Thank you for taking the time to read this article. I hope you found something valuable! If you have any questions, comments, or concerns, please leave a comment on this article or send me a message on my Contact page. To keep up with the other stuff, I am learning about and discovering, follow me on Twitter @NateRobertsTech.