Читать книгу 8 Steps to Better Security - Kim Crawley - Страница 10
What Is Security Culture?
ОглавлениеLifestyle and wellness writer Tim Ferris once said, “Culture is what happens when people are left to their own devices.” There are all kinds of cultures in our world, from ethnic cultures and national cultures to the goth subculture I belong to. Humanity is comprised of perhaps millions of different cultures, depending on your definition of the word. And chances are you belong to multiple cultures. As for myself, some of the cultures I belong to in addition to goth culture are hacker culture, cybersecurity culture, autistic culture, Anglo-Canadian culture, and JRPG, anime, and manga fan cultures.
If you work in business, you probably know what corporate culture is. It's how the people in your company behave, how the people in your company feel about it, and the attitudes and styles your company reinforces, whether that's done deliberately or accidentally. Corporate culture can affect employee morale, which can have a measurable effect on your bottom line.
A strong security culture encourages the people in your company to behave in ways that facilitate your resilience to cyberattacks and help protect your precious data.
I spoke to J. Wolfgang Goerlich, Duo Security advisory CISO of Cisco Systems. CISO stands for chief information security officer. CISOs bridge the gap between the suits and the nerds. Goerlich has years of experience in securing corporate business computer networks. Here's what he told me about security culture:
Security culture comes from a partnership between security champions and security advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It's more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A culture of security has advocates working with champions to interpret and implement security controls. In a well-run security practice, controls will be usable and widely adopted, because of the partnership of advocates and champions.
All security controls are useless if it is ignored. Good security is usable security. Good security is adopted security. The starting point, then, is empathy and kindness for the people we are charged with defending.
Daniel Chromek is CISO for ESET, a major developer of antivirus software and various security products. I believe that everyone in your organization needs to develop good security habits. Here's what Chromek told me about that:
I would stress the word everyone. I'm in a better position compared to my peers (CISOs of other companies, including those outside of the cybersecurity industry) as we are a security company. This means multiple things. It's easier to explain to my business managers, as they natively understand that “we are a security company” means our brand is based on the security of the company. And even people in departments that don't need to understand security management understand that branding is important.
Security culture means that part of awareness training is decentralized. If someone is targeted by phishing, then they can speak to a colleague in the same room (now virtual) and ask them to take a look into it instead of going through an IT ticketing system.
People aware of security can smell if they are being deceived by FUD, so the communication from the security team needs to be straightforward. (Both Merriam-Webster and Urban Dictionary define FUD as fear, uncertainty, and doubt.) Also, security-aware people can point out bad (security) control selection or implementation very quickly by replacing auditors or specialists.
Of course, the security culture is not a replacement for security controls, but it helps in all kind of controls, even unpleasant ones.
As with all the work you must do to keep your company secure, establishing and maintaining a strong security culture isn't a project you set then forget, as some infomercial spokespeople love to say about their As Seen on TV products. It's a constant, everyday process. It's something you build and maintain over the years. And if you neglect it, it will die. I love cybersecurity expert Bruce Schneier's ideas, so I'll quote him again as I often do in my writing:
Security is a process, not a product.