Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 12

In that study with 1,161 respondents, there were 758 unique definitions given for security culture. Forrester analyzed these 758 unique definitions and broke them into five different categories based on the general sentiment reflected in each of the proposed definitions. Here's the breakdown:

 29 percent of respondents believed that security culture is compliance with security policies.

 24 percent said that it was having an awareness and an understanding of security issues.

 22 percent said that it was a recognition that security is a shared responsibility across the organization.

 14 percent indicated that it had something to do with establishing formal groups of people that could help influence security decisions.

 12 percent said that a good security culture meant that security was embedded into the organization.

That's a wide variety of ideas for what security culture is. And it shows the danger of not having a formal, industry-recognized understanding of what this concept really means. Just imagine being in a room where someone is talking about how critical it is to have a good security culture. Now, imagine looking all around the room and seeing virtually everyone (94 percent of the folks in the room) nodding in violent agreement. Seems like a real kumbaya moment, right? Nope. In reality, they are all agreeing to different concepts—preexisting assumptions about what they assume the speaker is referring to, but (and here's the danger) everyone believes they share the same definitional idea. Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.

Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.

At this point, you're probably asking yourself which of the five categories we most closely align with. For the most part, we believe that the 12 percent of those who indicated that a good security culture means that security is embedded throughout the organization should get the gold star. Respondents in this category made statements like, “we put security in high regard throughout the company.”

Your humble authors believe this is the most accurate representation of what a good security culture is. The definitions offered up within the other categories would naturally flow from this. Having security embedded throughout the organization and holding security in high regard will result in people following policies, having awareness of issues, and recognizing that security is a shared responsibility, and the intentional creation of groups who would serve as security advocates and liaisons.

Let's be clear. We believe that 12 percent of people offered a directionally correct response. But the other 88 percent of respondents also offered valuable insights. They offered ideas of things that we might consider evidence (or artifacts) of a good security culture.

We, as an industry, have a lot of work to do in making this idea of “embeddedness” and “high regard” something that is synonymous with how people generally define security culture. This understanding indicates much more than what surface-level security awareness can accomplish. It indicates a much deeper appreciation and value of security than simple policy acknowledgments or compliance will ever offer. This is something else—something different from the status quo.