Is security compliance the same as security culture?
Throughout the years and across industries, I have seen different approaches geared toward raising the levels of security culture of individuals and organizations. During this time I have observed one common misconception that deeply affects the work being done in pursuit of that goal: the belief that security compliance is synonymous with security culture.
Consider the following scenarios:
An operator complying with physical-security procedures only to avoid punitive fines.
An operator following physical-security procedures as a way to avoid getting fired.
An operator adhering to the company’s SOPs only to pursue a promised yearly bonus.
In any of the previous cases, can we definitively say that the operator and/or the organization are cultured in security? Can we say that their security culture is strong? My argument is that we cannot.
In our experience an individual is cultured in security only when he or she voluntarily assigns priority to predefined security-related tasks/procedures. Voluntary assignment of priority is a result of conviction, and this conviction a result of education.
During the past 14 years, we have observed that educating people on credible threats and on how their actions or omissions impact the risks in positive or negative manners are the single-most effective ways to start developing a strong security culture.
Related reading: The Dark Alley