What is needed to create a security culture?

90% of nearly 5,000 technical professionals in technology recently responded to a cyber security survey conducted by ISACA and CMMI Institute. They experience a gap between existing business culture and the security culture they believe the business should have. This goes on both the awareness of daily and management priorities, according to the report, Cybersecurity Culture Report.

Furthermore, the report says that only 34% of respondents are aware of the role they play in creating a culture of security in their organization. Creating a security culture requires more measures. Consciousness and education are important elements here.

In Glasspaper we use the XtraMile software to create training modules distributed to all employees on different topics. This creates awareness for employees around safe behavior. In addition, IT technical posts regularly participate or even hold a number of courses Glasspaper has within security.

We use the CRMAP software provided by Kamude as a management tool for management to visualize security threats, risks and deviations, whether it concerns IT systems, routines, lines or physical values. In addition to the management and security officer, others with access to CRMAP can get an overview and awareness of security for all parts of the company across business areas and locations. The insight into CRMAP helps more key people in all teams in the organization contribute awareness and building a security culture. Management thus provides a good tool for assessing risks and allocating resources to deal with potential threats. CRMAP is built to handle compliance with a number of standards that address security and privacy, such as ISO27001 / 2 and GDPR, and more.

Security is now naturally home to the agenda of any gathering or kick-off to refresh knowledge and awareness about security, as well as to reach out with information about new threats. Security culture is a continuous long-distance race.

In the survey, only 5% respond that their business is well positioned to handle both internal and external threats. Among these respondents, most respondents state that senior management has a strong focus and understanding of security, which indicates that a security culture is difficult to create without this being high on the agenda of management.

Despite the fact that daily reports of attacks and unfortunate events are reported in the news, 42% of respondents report that they have not established a plan to create a security culture. While these businesses spend on average 19% of the budget on training and tools, risk-conscious companies (5%) respond that 43% of their annual IT budget relies on this.

Many still work with spreadsheets and similar solutions to keep track of risk. Management often only receives a half-yearly or annual report on safety. We see that only the security officer in the business is driving for security development. In 2017, Glasspaper purchased into the Kamude software house that supplies CRMAP-Compliance, Risk Management & Asset Protection. This is a platform developed by security specialists to help businesses to more easily establish a framework to work well with security and security culture across the company. We believe companies using this platform over time will help build a security culture that many businesses are missing today.