How to build and maintain security culture in any organization

SECURITY CULTUREby Kai Roer

ISACA Nordic Conference, Oslo, 2014

SECURITY CULTURESay what…?

WHAT IS CULTURE?

the ideas, customs, and social behavior of a particular people

or society

Ref: Oxford Dictionary

WHAT IS SECURITY?

• the state of being free from danger or threat

• the state of feeling safe, stable, and free from fear or anxiety

Ref: Oxford Dictionary

SECURITY CULTURE

the ideas, customs, and social behavior of a particular people or society, that helps them

being free from danger or threat

Ref: K. Roer

CREATINGa Security Culture Program

INTRODUCING: THE SECURITY CULTURE FRAMEWORK

WHERE TO START

1. Set up your team

2. Define your goals, and how to know you reach them (To-Be)

3. Measure your current status (As-Is)

4. Define target audience(s)

5. Choose relevant topic(s) and activities

6. Plan and execute

7. Measure and Revise

8. Restart

WHY A PROGRAM

• Culture is constantly evolving

• Organizations change

• People change

• Not one training to save them all!

MORE THAN TRAINING

• Security Culture must be nurtured

• Support business

• Create understanding && Awareness

• On-going

• One step at the time

THANKS, ISACA 2014!• http://theroergroup.com

• http://roer.com

• https://scf.roer.com

• @kairoer

SOURCES OF INFORMATION

• The Security Culture Framework project

• Research

• SANS

• The Analogies Project

• The Security Awareness Framework project