Move on policy, here comes security culture

This VMware infographic on the role of CISO's highlights an interesting swing from do-what-the-policy-says (2012) to creating a security culture (2017).

I wrote my first security policy in the early 00’s. To be truthful, someone else wrote it; I had by that stage picked up the idea that as a “manager” it was seen as efficient to get someone else to do things, freeing me up to do something supposedly more useful. I received an ISO27001-aligned security policy which was then published and of course received scant attention. Unfortunately, it did set me on a path of using a security standard as a basis for writing a security policy, something I would not do nowadays. That type of standards-based policy might be well intentioned and tick all the compliance boxes, but it is not something that people can easily absorb and is extremely unlikely to result in improved behaviours and reduced risk.

Now I would promote the idea that standards are good for setting technical expectations and policies are how we manage our overall cultural and behavioural expectations. Policies need to be written with the audience in mind, and (generally) they are not going to be interested or engaged in ISO-speak. Or NZISM, or HISF-speak. How can we hold people accountable to policies if they can’t even understand them?

At mindshift, we think that awareness is like a superset of understanding that enables people to make good decisions in uncertain circumstances. The attacks we see today will come from a different angle tomorrow, and the awareness we need is in understanding how each and every one of us is a target, how our human vulnerabilities can be exploited, so that we can spot those attacks no matter where, when or how they appear. Policies can help, but they're not the whole story. We think VMware and CISO’s are right on track here – creating a broader culture of security awareness, rather than command and control by policy.