II Measuring Your Security Culture
This page intentionally left blank
The Competing Security Cultures Framework
Every organization that is concerned about protecting its information
assets and systems—basically all organizations in today's networked and digital society—has an information security culture. The security culture is a facet of the overall organizational culture. Most organizations, in fact, have multiple information security cultures, reflections of local values and priorities, and not everyone inside the organization is going to share the same beliefs and assumptions about how security should and does work. What the information security team values and thinks is most important for protecting the organization will probably be different, at least in degree, from what HR (or Internal Audit, or Facilities, etc.) values and thinks is most important. In benign cases, these cultural characteristics coexist peacefully, never having cause to interfere with one another. But more often, they eventually compete. That competition may occur over resources, over money, or over simple political infighting. But the security culture that dominates, including the values and priorities that drive decisions and spending, will have profound implications for the organization's performance in regard to information security.
To ensure that organizations develop the most beneficial security culture, the most successful balance of differing priorities and motivations, we have to understand culture better. Organizations must develop techniques for translating general insights about culture into actionable intelligence. Fortunately, there are lots of theories, frameworks, and methods for accomplishing this goal, fueled by decades of research and practice in the fields of organizational performance and development. I propose my own methodology, the Competing Security Cultures Framework (CSCF), further in this chapter. But the CSCF did not develop spontaneously. I created it by adapting and extending earlier research, and it is worth spending a little time to understand those roots.