Developing a Security Culture
What type of security culture do you have, and does this support the demonstration of the right security behaviours?
Security culture is defined by CPNI as ‘the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security’.
Without the right security values (i.e. culture), employees may pay lip service to the security practices in place, resulting in poor behaviours and lack of compliance with protective security measures. This in turn can lead to increased risk of security incidents and breaches, reputational and financial damage, the development of a climate that facilitates insider threat, as well as potential harm to employees, customers, and/or business performance.
CPNI has developed a tool (SeCuRE) to assist organisations with examining their existing security culture and identifying where and how it may need to change. It can also assess whether the right mix of behavior ion l mechanisms are in place to drive good security practice.
TIP: Using the SeCuRE tool to understand and develop your security culture is best done once you are clear on what the key security threats and risks are facing your behavior ion. This will enable you to have a more focused review on whether your current culture is fit-for-purpose and whether strategic level change in how security is handled or managed is required.
To support you with embedding culture and behaviour change within your organisation, CPNI has developed a number of campaigns, materials and guidance to assist you.