Changing a corporate security culture, or even just that of your own office or department, can sometimes seem impossible. In general, people don’t like change: they just want to do their jobs without much fuss, and go home.
Regardless of the size of the organization and your position in it, if you can persevere in finding the right way, you can change its security culture.
Cyber security consultant Nancy Snoke recently gave a short talk at NolaCon about this topic, and used her own experiences as examples on how to solve a several different problems that might arise in your office (presentation recorded by Adrian Crenshaw):
Sometimes she succeeded, sometimes she failed (but learned from her mistakes). She often wasn’t in the ideal position to make changes, but found a way to push her agenda through despite the many ladders that separated her from those who had to OK or push the changes.
Effectively, this is a talk on how to push for better security culture when you’re a cog in the machine, and not the one pushing the levers.
At the end of her presentation, she mentions some resources for more in-depth research about the topic. You can find reviews for two of them on our site: Build A Security Culture, and Building an Information Security Awareness Program.