Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 13

The Forrester Consulting study also found that security leaders are overconfident that they have a good security culture. That's obviously not a good thing. Overconfidence means they believe that they've got things under control. These leaders have a semblance of security in their mind, and yet they're leaving themselves extremely vulnerable. They are, quite literally, operating under a false sense of security.

There's a phrase that I, Perry, have said for years: “A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?”

A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?

There are already embedded security-related attitudes, beliefs, values, behaviors, and social norms in every organization. Your goal as a leader is to be intentional about how you pinpoint and measure security-related aspects of the culture and how you intentionally shape those aspects. That means you must be proactive about security culture management. You need to understand how that can become part of your larger organizational culture management initiatives. Ultimately, you want security beliefs, values, behaviors, and social pressures woven all throughout the fabric of your larger organizational culture. The takeaway here is that you already have a security culture. What are you going to do with (or about) it?

You can't treat security culture as a black box topic. Security culture does not exist as an entity unto itself. You already have a security culture, whether you like it or not and whether it is good or not. Security culture is inexorably intertwined within your larger organizational culture. The question you need to deal with is what are you going to do with (or about) these security-related aspects of your larger organizational culture?

It's your move.