Following on from the success of the Summit in Amsterdam, last week I found myself back in Stockholm with ISC2, Ciaran McMahon and Jessica Barker, to share insights into awareness, behaviour and culture.

It’s always a warm welcome when people recognise you from previous talks and remind you of key lessons they walked away with regarding our work at Marmalade Box into Re-thinking the Human Factor.

Once again we found the workshop was well attended with in excess of 90 attendees registering for both sessions. Some attendees had mentioned that culturally the Swedes can be  reserved with comments and feedback, we clearly had attracted the more talkative from the security community to our event on this occasion. The number of questions posed and debate was pretty significant and highlighted to me the hunger of the Scandinavian community to re-think the human factor.

Today’s blog post covers some key points which came up during my 2 days sharing thoughts on security awareness, behaviour & culture.

The impact of culture

We often, rightly, talk about building an “information security culture”, or the impact of organisational culture on security. I wanted to broaden the scope of what we considered when we used the term “culture” in the context of security, by highlighting the influence of not only national culture, but also industry, professional and global “norms” on security.

The attendees made it simple to introduce this slight twist, by highlighting examples of how people expose confidential information in public spaces, such as planes and trains, without due care or potentially in breach of organisational policies.

This relatively common example of getting security wrong provided the context for the discussion where, both within and outside of the workshop we discussed broader societal questions about workplace trends, including working hours and the pressure to “get the job done”, and how these driving employees to expose sensitive information to unnecessary risk.

Let it go!

Adrian Davis, MD at ISC2 EMEA, asked a question about what the workshops leaders would recommend information security folks do to improve overall communication. Jess and Ciaran gave some great answers which I agreed with. I wanted to build on this and decided to take a different and possibly controversial tack.

I admitted that I don’t think I write great reports. Or at least I don’t really enjoy writing them. But recognising this means that I can focus on doing the things I do well. My question to the audience, was whether communication was a strength of ours and, if it was not, then maybe we should recognise this and “let it go”. Leadership is, after all, about recognising the strengths and opportunities for improvement of you and your team.

Interestingly, Jessica had shared a slide of findings, from the SANS Securing the Human 2017 Survey, where the effectiveness of communication was identified as the largest barrier to Securing the Human. This was a key belief of mine when I first set up The Analogies Project as a means of supporting the security community to communicate more effectively with stakeholders 5 years ago.

The Power of Social

This is more of an observation. But it highlights my research and the work we’ve done at Marmalade Box in developing our SABC (Security Awareness, Behaviour & Culture) Framework.

In the final session we had 65 people in a hall capable of holding  maybe 750. Attendees spread themselves out from the from the front to the back. We suggested that attendees might want to come closer to the stage. The response was initially muted. However we then explained the benefit to the audience. A couple of people stood up and moved forward. Others, then followed the actions of the early movers, and then eventually even those who had shook their heads moved forward.

For me it highlighted the power of “social” which is sometimes called the herd effect. People are social and we are highly influenced by the activity of people around us. This is a strong tool when it comes to awareness, behaviour and culture.

The Next Workshop

The next workshop with ISC2 is in Zurich at the end of June. Whilst I will be presenting on the cultural influence on our role as information security professionals again, you are more than welcome to catch up and quiz me about awareness, behaviour or culture and Marmalade Box’s SABC (Security Awareness, Behaviour & Culture) Framework.