How To Implement And Nurture A Security Compliant Culture

Security Compliant Culture

Now more than ever, it’s important to be compliant with industry and government regulations. For the last several years, governments and industry groups on both sides of the Atlantic have been increasing the level of regulation for organisations, forcing them to prove that they have the proper controls in place.

What happens if an organisation doesn’t comply with security rules? They could be subject to expensive fines: breaching the Payment Card Industry (PCI) security standards imposed by credit card companies can result in fines of up to $100,000 each month, for example.

In the case of a breach, an organisation would also have to pay the costs associated with informing customers and remediation to prevent it from happening again, not to mention suffer severe reputational damage, which would be far more costly than any fine. Brand damage is impossible to calculate and extremely difficult to repair.

This isn’t a theoretical problem. 27% of senior IT decision makers highlighted meeting security compliance requirements as their biggest security challenge for 2012, ranking top above Advanced Persistent Threats, cloud security and web application vulnerabilities.

As both regulations and new technologies proliferate, those responsible for security compliance face a daunting task: keeping the organisation compliant, while allowing users as much freedom as possible to take advantage of new hardware, software and services.

It’s All About The People

You may think that a solid IT security policy solves that problem, but the truth is, it doesn’t. Documents are static; they sit on a shelf and do nothing. It takes people to make those policies work. Unfortunately, people can be unreliable, erratic, and …well, just so darned human. People create cultures, but those cultures often grow in strange and unpredictable ways. Fortunately technology is at hand to enforce your IT security policy and get your employees to help create a culture of security in your organisation, and make you truly compliant.

Explaining What, And Why

People like goals. It gives them something clear to follow. Organisations should start by setting some. A rare few security standards (such as PCI) will mandate those security goals in great detail, telling them what to implement and where. In most cases, though, the guidelines are broader, leaving it up to the organisation to interpret the guidelines by creating their own goals.

Outlining the roles and responsibilities within an organisation is another crucial component for any security compliance strategy. Employees must clearly understand the bounds of their role in an organisation, and must understand the dangers of crossing those boundaries. What systems should they access, and what information can they see? What can they share with others?

It is important to explain the reasoning behind these goals, roles and responsibilities to employees. If they don’t understand why they must to do something, they are less likely to remember to do it.

If you tell your receptionist never to give out the name of anyone in a particular department, he/she may give in to persistent callers thinking it’s harmless enough to pass over one or two names. But if you were to explain that headhunters routinely try to find the names of key salespeople to poach them for competitors and ask for the receptionist’s help to actively prevent this, the reception staff are likely to comply as they have become involved in governing this policy. As the Chinese proverb goes: ‘Tell me and I will forget; show me and I will remember; involve me and I will understand.’

A Gentle Reminder

Explaining why people should do something is one part of an effective security policy, and reminding people to do it is another. But with self-inflicted security breaches prevalent – read more about this here – it’s most important than ever that we take this problem seriously.

Let’s draw on a little history here: in the second world war, when national security effort was particularly critical, campaigns used posters and slogans, along with a sense of group responsibility, to help hammer the point home.

“Careless talk costs lives” may be a little strong for the corporate security world, but displaying posters around the office with slogans about not sharing passwords, thinking twice before giving out information, and not leaving sensitive documents lying on your desk are good ways to remind people, as well as a system which tells employees when there is a potential breach of policy so they have time to rethink their actions and prevent any data leakage.

It is also worth reminding employees that there are other people in other organizations who are looking after their information; so they should be treating the data they are entrusted with in the same way that they expect other organisations to treat theirs.

Policing

None of this will be any use unless you police it. Compliance requires proof, which means checking that someone has done something – and taking action based on the results. Effective policing involves use of both carrot and stick: reward people for doing it right; hold them accountable if they do it wrong. Policing is a problem for many organisations. Two thirds of them don’t enforce security policies properly. That has to change.

One way to do this is to appoint someone to hold people accountable. A security ‘czar’ in your organisation can help to police security compliance by checking on behaviour. This can be replicated more locally by making mid-level and team managers responsible, too. An even smarter move is to ‘gamify’ security, rewarding people who consistently follow effective security measures (like logging out of systems when they leave their desks, for example).

Although policies are about people, technology can also be useful in effective policing. In some cases, organisations may need a technological component to enforce these guidelines. Telling people to use strong passwords and change them every month is something that can be enforced by software, for example. Email and social networking filters can help to prevent inappropriate information leaving the organisation.

Listening

Successful security compliance is also about learning and understanding, as much as dictating. These audits are not only good reporting tools to help tick regulatory boxes; they are also ways to pinpoint problem areas in the organisation. If an audit finds that people are consistently sharing passwords in a particular department, it can create an opportunity for a conversation with staff. Perhaps log-on processes are too long, or don’t reflect working patterns, and the problem can be fixed by reconfiguring the system.

The ideal outcome here is to create a positive feedback loop. A policy is a living, breathing thing, and it should change with the organisation. If you audit effectively, you will not only understand how staff are performing, but you will get a sense of what’s working and what isn’t. Staff will tell you how they can perform better, if you’ll hear them. And these suggestions can be used to create a policy that is more suited to your organisational processes. The result? Everyone wins.

Your staff are happier, your organisation is more secure – and you’ve vaulted the invisible barrier between having a policy for compliance’s sake, and having one that truly protects your organisation. That’s effective management at work.

Guy Bunker

Dr. Guy Bunker is Senior Vice President of Products for UK-based security company Clearswift and is an internationally renowned IT expert with over 20 years’ experience in information security. Before joining Clearswift in October 2012, Guy was a Global Security Architect for HP. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security. Guy is a frequently invited speaker at conferences, including CDANS, AGC Partners, RSA, EuroCloud and InfoSec. Guy is a board advisor for several small technology businesses and has published books on utility computing, backup and the best-selling "Data Leaks for Dummies" on data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.