What we achieve together: building the corporate security culture
The primary objective of information security is to achieve positive business outcomes. Security awareness alone achieves almost nothing: the payback comes through improving information security in three ways:
Cost reduction e.g. incidents and compliance failures that are less frequent and less serious;
Increased assurance e.g. a more confident management making bolder business decisions, knowing they can depend on strong security arrangements;
Increased efficiency e.g. employees know they should get specialist help with complex information and IT security matters, and know who to ask, while the professionals
appreciate their advisory role and are keen to help.
Informing people about information security merely increases their knowledge. They also need to be motivated, given opportunities and encouragement to exploit the knowledge and
change their ways, for example making better decisions, avoiding or reducing risky behaviors, and responding to incidents. Of these two, motivation is by far the bigger challenge.
We are often told how important it is to establish a security culture - easier said than done! NoticeBored goes beyond merely providing awareness
content. We promote understanding of and commitment to information security among your employees, helping you generate and sustain a security culture by socializing security
. Bringing the underlying security messages to life, making them interesting and relevant, encourages employees to think and chat about the monthly topics.
This is the key reason why NoticeBored addresses staff, managers and professionals in parallel, supporting their differing perspectives on the same
subject ... but that’s merely the start. In ways that are hard to predict or control, information security stories can take on a life of their own - for example, an
employee who spots a TV news item about a major credit card incident might mention it to colleagues over coffee. Through the privacy, identity theft and
compliance awareness modules, they will all have had a grounding in the basic concepts, leading to a more informed and enlightening discussion. Managers will
know something about the strategic, governance and compliance aspects (e.g. PCI-DSS and privacy laws), while professionals will appreciate the practical constraints
on securing credit card and other personal data through technical controls. Without awareness, nothing gels.
“To successfully lead from the top, organizations must help CISOs materially engage with enterprise leadership and make the case that cybersecurity is a critical
priority in protecting company value, [and] encourage the unified leadership team to effectively communicate the issues to the rest of the company. By embracing these steps, organizations can improve
their cybersecurity capabilities and position their businesses to thrive, despite the rising cybersecurity threats.”
Accenture Security Index
Over time (and yes, cultural change inevitably takes time), each interaction, each piece of information, each awareness topic and event builds a generalized
appreciation of information security - what it is about, what it means, why it is important both for the business and the employees - throughout the entire
organization, and that in turn influences the way people behave.
In contrast to more limited approaches, a NoticeBored awareness program actively exploits social interactions and corporate social networks to spread the word far and wide. That’s part of what makes NoticeBored unique in the security awareness market.
“In discourse within organizations, security often doesn’t feature at all, and if it does it’s often in a negative way and
people are complaining about it. That’s what we want to change - we want people to talk about security, discuss the risks, but help each other out. The more people talk about security to
each other, the better things will become.”
Professor Angela Sasse
One further example illustrates the value of awareness. High safety levels in the aviation world are no accident: safety has been systematically improved over
decades thanks to learning from all kinds of incidents and near-misses. Clearly, incidents and near misses must be brought into the open in order to learn from
them, but the enormous human, economic, legal and even political implications are strong reasons to keep them hidden. Whereas formalized accident reporting and follow-up mechanisms are important, the safety culture that pervades the entire
industry is crucial. The medical industry is tackling the same challenge right now: covering-up medical mistakes may suit those responsible but the blame culture is
unhealthy. The parallel with information security is obvious ...