Review: Build A Security Culture

Author: Kai Roer
Pages: 124
Publisher: IT Governance Publishing
ISBN: 1849287163

Introduction

Kai Roer is one of the creators of the Security Culture Toolkit, a well-regarded framework that offers a structured approach to building and maintaining good security culture within your organization. In this book he leads the reader, slowly and methodically, towards achieving that goal.

About the author

Kai Roer is a security consultant and trainer with extensive international experience from more than 30 countries around the world. He is a guest lecturer at several universities, and the founder of The Roer Group, a European management consulting group focusing on security culture.

Kai has authored a number of books on leadership and cybersecurity, and has been published extensively in print and online. He is a columnist at Help Net Security and is the Cloud Security Alliance Norway Chapter President since 2012.

Inside the book

Security culture can be changed, with small steps, iterated over time. The important thing is that you know exactly what you want to achieve, and that you find a way to do it. This book will help you.

In the first chapter, the author introduces the concept of group dynamics, and explains how culture can be changed either by individuals or the majority of the members, and puts forth that notion we all know to be true: individuals can adopt a new culture quickly if we provide them with a good incentive. The second chapter deals with the three elements of culture in general and security culture in particular – people, policies (rules, written or not) and technology (tools in general) – and how a change in each of these elements can impact the other two.

Chapter three explains how security culture relates to security awareness, which is about making our colleagues competent, i.e. teaching them to evaluate the situation correctly. He talks about mental patterns, cognitive dissonance, biases, mental shortcuts, and the importance of adapting security awareness training to our organization’s needs and to the way out colleagues think. But knowing something is not the same as changing a behavior, only a good first step towards it. Ultimately, you’ll need to motivate users to apply the knowledge they accumulated in the correct way, and do it as many times as needed.

In Chapter four, he demonstrates why involving your HR, marketing departments and management in building your organization’s security culture is crucial, and gives insight in how to achieve this. In Chapter 5, he tackles the subject of groups, social interactions, and people’s psychological mechanisms, and how to use them.

Measuring security awareness and culture can be done, you just have to learn how: how to establish what is employees’ baseline behavior, analyze it, and how to influence it to achieve the changes you want to see. The author will tell you how to do it.

Finally, he explains the characteristics of good and failed security culture programs, and presents the Secure Culture Framework, which was created to facilitate the setting up and running of an organization’s security culture program. It includes metrics, goals, organization, different topics and activities, and planning.

Final thoughts

The author does not claim to provide the only effective solution for creating and maintaining a security culture program, simply a good, structured one.

What I loved most about the book is that he uses great analogies and examples, making it easy to grasp all the concepts presented. He keeps explanations simple, logical and short – the book is streamlined in the best possible way.