How to develop a culture of security in the enterprise

Although many maturity models target government, Michael Cobb reviews how one framework contains guidance that is pertinent to businesses as well, particularly those looking to establish strong security training practices and create a culture of security.

In October this year, the HMG Information Assurance Maturity Model and Assessment Framework was published.

Its aim is to help senior information risk owners in government departments create an effective change programme to improve information risk management (IRM). The model is aligned with the security standard ISO/IEC 27001:2005 and incorporates the mandatory information related requirements of the HMG Security Policy Framework (SPF), a set of internal risk management and security practices and policies for government departments.

A goal of any maturity model is to lay out a programme of work to achieve clear progress through easily identifiable milestones. The three goals in information assurance (IA) that this model focuses on are:

  • Embedding IRM culture within the organisation.
  • Implementing best practice IA measures.
  • Effective compliance.

Although the model's target audience is government, it contains much useful guidance that is pertinent to businesses as well, particularly if they work with government and need to align themselves with the SPF.

Win a 150 euro gift card for your holiday shopping

Are you interested in the IT challenges your peers are facing in today's economic climate? Here's your chance to find out and sanity check your company's initiatives. Simply complete this short reader survey.  

I'm especially interested in the first goal -- embedding an IRM culture of security within the organisation -- because the speed of change in the way we do IT threatens to undermine even the best technology-based defences.

Getting employees and partners on board

The recent revelation by T-Mobile Inc. that its staff passed on customer records to third-party brokers shows that employees still pose one of the biggest threats to security. In the future, information assurance will be a key asset if it is embedded within the way an organisation, its partners and suppliers do business. This is particularly important in the context of cloud computing and shared services, which require trust in third parties.

There are five levels within this model, and I really like the fact that the framework stresses the need for board-level awareness and involvement, requiring procedures to be in place so the main board is able to understand and manage information risk.

In the maturity model, there's quite a jump from Level 1 "Initial" to Level 2 "Established" as it looks for IA processes to be "institutionalised" within the organisation, its delivery partners and its third-party suppliers.

Levels three to five require increasing levels of IA awareness and measured improvements in IRM behaviours, not only within the organisation, but also within its partners and suppliers. The goal is for IA to be a fully integrated aspect of normal business and seen as a business enabler, as staff attitudes and actions towards IA align to the needs of the business.

Beyond information security awareness training

To achieve such goals and develop a culture of security, basic security awareness and data handling training is no longer enough. It has to be delivered in such a way that employees don't just know how to handle data security but that they consider it as a passion and a true company value. Your training programme has to make it clear that information security is an integral part of everyone's job with ownership, responsibility and accountability for risk made obvious in policies and job descriptions.

Many attacks aimed at obtaining confidential data rely on social engineering to be successful. Social engineers use psychological triggers such as appealing to someone's innate curiosity or natural desire to help.

Your staff needs to know that they are vulnerable to social engineering manipulation. They should be trained in how to respond to requests for data, whether via email, pop-ups or some other ruse. By laying out clear policies on how data is to be handled, you will ensure that employees will not be in a position where they have to consider whether or not certain information can be given out; this helps employees defend against the psychological triggers used by social engineers.

Before you start a round of security awareness training, though, check that your security policies are up to date, particularly sections covering the acceptable use of newer technologies such as smartphones, Skype and Twitter. Decide on which communication channels can and can't be used to exchange sensitive information. Training should ensure that employees know how to identify confidential information and understand their role in protecting it. Employees must know what kind of information a social engineer is after and what kind of requests are suspect and how they might be manipulated. You're almost aiming for an environment where if any request for sensitive information is made, the first reaction is to think, "No."

Creating a security awareness training program

Compliance expert Richard Mackey reveals the tell-tale signs that a compliance program is effective.

Due to continually evolving technologies and threats, you will need to update and repeat your awareness programmes as you update your security polices. Because security policies are unique to an organisation, I've found that generic training packages are nowhere near as effective as those that have been tailored to reflect an organisation's own polices and environment. For example, if ID badges have to be worn at all times or visitors must always be escorted by a member of staff, then this can be reflected in the training with examples that staff will recognise as relevant to their own situation.

Do make sure training is rounded off with a test. This allows you to measure not only the effectiveness of the training but also report on progress in establishing an IA culture. I have found that by offering small prizes you can greatly improve people's active participation in training. Prizes for the first department to get its entire staff through the course or for the top ten scores help demonstrate security awareness is valued. Even just posting average scores by department can help motivate people to do better next time and encourage continued compliance.

Embedding a culture of security within an organisation is no overnight task. You're never going to be able to "patch" employees like you can software, but you need a similar programme to keep employees up to date with the latest threats. The Information Assurance Maturity Model gives you a good benchmark against which to measure your progress in achieving a security-aware workforce.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Read more on Security policy and user awareness