Culture and Communication Strategy

In continuing my cyber security Applied Security theme, I wanted tostart with the Culture and Communication strategy (C&C). I've talkedabout it before in other posts but it's important to talk about some ofthe particulars in how it's implemented. It's important to rememberthat the C&C strategy is a filter in which all other activities andbehaviours must pass through. To change a company's view on the worldwe need to be very specific in making sure that everything we do goes tosupporting that model. It's also important to reiterate that I believethat the problems we have are not technical in solving the "securityproblem" but human behaviour. It's not until we solve that problem dowe ever really get progress in solving the control implementationproblem. The majority of my beliefs around this strategy have beenhoned with specific readings. You can find them in the "Security Booksand Resources" section. I strongly encourage any and all practitionersto take time and read them.

C&C Levels

There are three main levels in my concept of this strategy. Where I'mimplementing them in three distinct years, they can be expedited basedon your environment. The first is a general population focus. Theintent here is to message and move the behaviour of the general companyand organizations. The second is individual focus. The intent is totarget specific influential individuals that are key in becomingenablers of security to change their behaviour. The third, and last, isenvironmental focus. The intent here is to create a self healing environment that will protect itself. When individuals with oppositeviews come in, those individuals either convert or are rejected.


The message has been discussed a great deal in past postings, yet, it'simportant to ensure proper development of the message in relation to theaudience. There are key aspects to the messaging that need to be there.The message needs to attach to something they care about. I targetareas such as how security failures affect our customers and theircustomers. I detail out how all of our personal and family data is atrisk. I even describe the importance of us leading the way in thetumultuous threat landscape and providing a solution to the world'sproblems before all is lost. These points, where talked are much morein depth, target the self and what the individual holds more importantthan themselves. It's good to read Daniel H. Pinks "Driven" as well asEdward L. Bernays "Propaganda". The message must also be supported withdata. I use live data regarding our malware infections, incidents,vulnerabilities, etc. Without pulling back the curtain and showingreality how can we ever expect them to agree with our view? This is anindustry issue that must change. The last point is that the messagemust include faults as well as success. The credibility byacknowledging failure drastically surpasses any success in my experience.

Message Vehicles

There are a multitude of vehicles that we use to get the message out.From the beginning we use covert and overt vehicles for differentreasons. Overt will help establish credibility with the audience froman organization perspective. Covert will establish credibility with themessage regardless of the organization. The majority of this is basedon "Propaganda".

Town Hall. Town halls have to be one of the most important vehicles wehave. Where they are not frequent it does allow a more personalconnection with the user. This breaks down the anonymity of themselvesand more importantly us as practitioners. The point of the meetings isto provide a discussion vs. a one way presentation. By kicking off themeeting with a 10 minute presentation of the world it quickly goes intoQ&A. This is the point and where the employees start to get involved.In all conversations the message is reiterated. The important factor isthe presenters ability to make it personal, hopeful for the future and astrong narrative over security. Stephen Denning's "The Leader's Guideto Storytelling" is the perfect book for this. I can't stress that enough.

Monthly Communication. When we look at the main influencers onindividuals in the company it was always their manager. People do whattheir pay checks tell them. The monthly communications focuses onanyone with a manager title and all executives (VP+) in alternatingmonths. The later is based on the understanding that most executivesdon't pay attention to manager communications, yet, will to "Executive"communication. In these emails, we subtly change the message but thereare constant components to them. The sections are what's going on inthe world, what's going on in the company and finally how can I learnmore or contact security. Each message really focuses on a key topicbut is never overt, such as data loss, malware protection, etc. Withthem we use internal data in our section to underscore the message.

Monthly Intranet Articles. Every month a team member is required towrite up an article to be posted to the company's intranet site. Thesubject is based on a need we have within Information Security butdoesn't always need to be explicit. The schedule of article subjects iswritten at the beginning of the year and including consideration forholidays and milestones that are important to the reader. Holidayshopping, kids going back to school, end of quarter sales, etc. Each ofthese top of mind subjects are focused around security in order toattach our message to them. Here are key ways to shop securely, how toprotect your children from cyber predators, how to protect yourcustomers' data. By just having a conversation on security topics andpractices there is a bleed over affect in how they act as normal course.i.e. behaviour modification.

Organizational Staff Meetings. In carrying on the subject of people dowhat their pay checks drive them to. We focus on giving presentationsor simply being present at key decision makers' staff meetings. Thisdoes a couple of things. First, it shows to the employees that themanager / executive sees Information Security as being important withouthaving to say it. Second, it gives an opportunity to have discussions,in a staff context, around issues and concerns they might have. Thissecond point is supported by the manager / executive's thoughts.Typically, they are supportive of security and that is directly evident.Lastly, it gives a great opportunity to present the future roadmap ofsecurity to with the communicated intent to identify any concerns orissues that might come up. There is nothing more destructive than anindividual saying that an implemented control hit their productivity orthat it doesn't make sense. This is a very common response and thegeneralization dramatically hurts the InfoSec credibility. By havingthe meeting the transparency is vastly welcomed and those excuses arehindered before the control is ever implemented.

Company Security Presentations. The only sole covert vehicle that I'veused is one of companywide presentations. We will manage a companywidepresentation / discussion on a particular topic (new threats, attacks,security concepts), yet, we will never give the presentation. We willask individuals from around the company to talk about the need, solutionand progress as an industry topic. This does a couple of things, and iscore to Bernays beliefs, where it removes that auto negativeassociations with Information Security as we aren't giving it. i.e. "Idon't trust the reason because those security guys are always paranoid".By having development leads talk about application security, lawenforcement talk about criminal cases or having security analyst talkingabout the threat landscape, it's a great way to have a securityconversation without having a InfoSec person degrading the conversation.We try and have these monthly

Telemetry. Lastly, it's important to have some telemetry implemented tounderstand if what you are doing is working or not. By implementing anannual survey that goes out to the company helps a great deal. Thesurvey should focus on three major areas. The first is how do you feelabout security as a concept, the second is do you feel about security asan organization and the third is do you practice good security. Thesurvey is around 25 questions that don't explicitly call these areasout. The results show enablers vs. detractors in the company bygeography and organizationally. This sets us up to do our targetedmarketing with the manager of that area and possibly local town halls.