Скачать книгу

       22 percent said that it was a recognition that security is a shared responsibility across the organization.

       14 percent indicated that it had something to do with establishing formal groups of people that could help influence security decisions.

       12 percent said that a good security culture meant that security was embedded into the organization.

       Situations like this belong in Monty Python skits, not as part of the unconscious assumptions driving our security and risk management programs.

      At this point, you're probably asking yourself which of the five categories we most closely align with. For the most part, we believe that the 12 percent of those who indicated that a good security culture means that security is embedded throughout the organization should get the gold star. Respondents in this category made statements like, “we put security in high regard throughout the company.”

      Your humble authors believe this is the most accurate representation of what a good security culture is. The definitions offered up within the other categories would naturally flow from this. Having security embedded throughout the organization and holding security in high regard will result in people following policies, having awareness of issues, and recognizing that security is a shared responsibility, and the intentional creation of groups who would serve as security advocates and liaisons.

      Let's be clear. We believe that 12 percent of people offered a directionally correct response. But the other 88 percent of respondents also offered valuable insights. They offered ideas of things that we might consider evidence (or artifacts) of a good security culture.

       A Problem of Overconfidence

      The Forrester Consulting study also found that security leaders are overconfident that they have a good security culture. That's obviously not a good thing. Overconfidence means they believe that they've got things under control. These leaders have a semblance of security in their mind, and yet they're leaving themselves extremely vulnerable. They are, quite literally, operating under a false sense of security.

      There's a phrase that I, Perry, have said for years: “A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?”

       A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?

      You can't treat security culture as a black box topic. Security culture does not exist as an entity unto itself. You already have a security culture, whether you like it or not and whether it is good or not. Security culture is inexorably intertwined within your larger organizational culture. The question you need to deal with is what are you going to do with (or about) these security-related aspects of your larger organizational culture?

      It's your move.

       Security and business leaders are realizing that humans are a critical layer within their security programs.

       Recognizing humans as an important layer in your security program does not negate the importance of technical defenses.

       The question isn't whether or not you have a security culture; it's how you need to engage it.

       Leaders agree that security culture is a critical aspect of risk reduction, but there is little agreement on what constitutes a good security culture.

       Security leaders are often overconfident in the maturity of their security culture, resulting in a false sense of security.

       This book will give you the necessary information and tools to begin shaping your security culture.

      Management is efficiency in climbing the ladder of success; leadership determines whether the ladder is leaning against the right wall.

       Stephen Covey

      Let's be honest—no organization will ever be fully secure. Security is a management process. It's the process of managing all the risks and threats that arise minute by minute, hour by hour, and day by day. You are never done. You can be more secure than you were yesterday, but you never arrive. You're always a zero-day threat, misconfiguration, or employee-related incident away from being less secure than you were just a minute ago.

      If there is one good thing that comes from all the media reporting about cyber breaches around the world, it is that virtually every organization now recognizes the need to shore up their cyber defenses. Along with that recognition comes the need to communicate clearly throughout the executive team and board of directors about the organization's risks and cyber readiness. This isn't to say that every member of the board of directors and executive team needs to become an expert in cybersecurity in addition to their current expertise, but they do need to become experts in understanding the risks that cyber-related events might have on the business.

      Risk is the key word. Executives manage based on risk, reward, and opportunity. Conversations about security for the sake of security will have limited

Скачать книгу