October’s awareness module covers security culture
Introduction and scope of the module
An organization’s culture comprising its workers’ attitudes, beliefs, practices and
behaviors, is a nebulous concept, hard to pin down and yet potentially a very powerful factor in business.
Regarding information risk and security, if everyone in the organization, collectively, is aware of and fulfils their obligations, supporting each other and pulling together, the
organization is likely to be more secure … but that’s a tough ask, our challenge for this month’s awareness content.
October’s NoticeBored module is essentially a recruitment drive, informing and
motivating everyone to play their parts in the organization’s Information Security Management System although we don’t use that specific term (the awareness content
is aimed at business people in general, not infosec specialists!).
Security culture is a brand new awareness topic, the 63rd in our portfolio.
The materials inform and persuade workers, visitors, customers, suppliers, business partners, the authorities and others to think of the organization as secure and
trustworthy – a ‘safe pair of hands’ that protects and looks after information properly. In fact, moving beyond perception, the materials are intended to make the
organization more secure and trustworthy by strengthening the corporate security culture through awareness. Once security has become second nature, our job is done.
The awareness stream for management is particularly important this month. Our intention is to convince managers that:
Although they may never have considered it as such, the corporate security culture really matters to the organization - it's very much a business issue
While culture is largely an emergent property of dynamic social groups and interactions, it can be influenced, if not actually controlled, through
sustained and deliberate actions - it's a strategic business issue;
The security awareness program is a viable and valuable mechanism to influence, grow and strengthen the corporate security culture;
Managers themselves are part of the strategic approach, for instance not merely mandating staff compliance with security and privacy rules
through directives, policies and procedures, but walking-the-talk, demonstrating their personal concerns and proactively supporting information risk, security, privacy, compliance etc. - in other words, leadership.
Explore the thinking that went into these awareness materials, and tag-along with us as we develop next month’s module, on the NoticeBored blog.
October’s awareness materials are designed to:
Explore workers’ general attitudes, values and perceptions relating to information risk and security.
Position information security (plus related concerns such as governance, information risk management and compliance) positively as something
beneficial both to individual workers, and to the organization and society at large.
Gently shift the corporate culture in a more secure direction/s, for example encouraging people to collaborate and help each other on risk,
security, privacy and compliance matters, generally raising standards in this area.
Think about your learning objectives in relation to the corporate security culture. In your organization, who has an interest in this area: Information
Security, Site/Physical Security, HR, Executive Management, IT, Operations, Sales & Marketing maybe, or someone else?
What’s actually in the NoticeBored module?
This month, NoticeBored subscribers receive a 58 Mb .ZIP file containing the following content - mostly MS Office files, camera-ready but customer editable:
Nurturing the corporate security culture through awareness
Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context. NoticeBored picks up on the strategic,
governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and
professional streams too. Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business
reasons - not just for compliance purposes or because we say so! Properly done, information risk management is a business enabler, with security awareness a vital part of the approach.