Culture may be an unusual topic for security awareness and training but this is an extremely important issue. An organisation's information security status is bound to be stronger if workers generally are aware of, and fulfil their obligations towards, security, privacy, compliance, confirmity and so on. If you reach the point where behaving securely is simply "how we do things here", you are on to a winner!
Culture is a hand-waving yet powerful factor in information security just as our national cultures affect the way we think and act. Culture is also dynamic: major events (such as terrorism and major security incidents) can dramatically affect attitudes across broad swathes of people – sharp cultural shifts that change our perceptions, decisions, priorities and activities - for a while at least.
We can't honestly claim to achieve miracles but this module takes a big step in the right direction.
The awareness and training materials inform and persuade workers (staff, managers and specialists), visitors, customers, suppliers, business partners, the authorities and others to think of the organization as secure and trustworthy – a ‘safe pair of hands’ that protects and looks after information properly. Moving beyond perception, bolstering the security culture through awareness leads to a stronger organization. Corporate security culture really matters to the organization - it's very much a business issue with an impressive range of benefits stretching well beyond the information security domain.
- Explore workers’ general attitudes, values and perceptions relating to information risk and security.
- Position information security (plus related concerns such as governance, information risk management and compliance) positively as something beneficial both to individual workers, and to the organisation and society at large.
- Gently shift the corporate culture in a more secure direction/s, for example encouraging people to collaborate and help each other on risk, security, privacy and compliance matters, generally raising standards in this area.
Re your learning objectives, who in your organisation has (or should have!) an interest in the security culture? Information Security, Site/Physical Security, HR, Executive Management, IT, Operations, Sales & Marketing maybe, or someone else? Identify and collaborate with powerful champions and ambassadors to give this topic a real boost. [There are plenty more creative tips along these lines in the train-the-trainer guides in every SecAware module.]
Security culture awareness
Recruiting the entire workforce to the Information Security Team is great in theory, tough in practice. This awareness and training module appeals to management, in particular, to demonstrate leadership and foster a security culture.