2

I would like to know how I can create a healthy and positive environment for information security. Due to some mistakes, this is not the case at the moment at the company I am at. I am an intern at the company. I am a 19yr old Dutch Industrial Engineering Management student doing an InfoSec awareness internship in a Bulgarian IT company. My job is to create awareness. I have three more months. Before I came there, there already was a system in place but that system was on a negative/ punishing side. I tried to put it to a next level but it did not work.

Please note: I did not have any previous knowledge of InfoSEc before I started this 'challenge' and I do not understand the specifics of IT related things. Only input-> Black Box -> Output

I have some basic Change management knowledge and some knowledge of Management control (Key performance indicators etc)

I would like to know how I can change the negative approach like looking for failure to a positive like looking for a success without making a complete fool out of myself/ making myself hated.

I am looking for something where people are happy and proud of doing something good, but I don't want to be giving compliments all the time because that gets annoying for people.

johan vd Pluijm
  • 211
  • 2
  • 10

3 Answers3

2

What you're looking for is a change in culture, rather than positivity as a goal. You'd want to re-state your objective, which is "Achieving a better cybersecurity culture". I'd highly recommend looking at SANS Securing the Human program. The resources available are effective, and they look at the psychological aspect as well.

Suggested starting point: https://securingthehuman.sans.org/media/resources/presentations/STH-Presentation-MakingAwarenessStickv2.pdf

Have a look at the Fogg Behavioral Model, and the various models you can use (Kotter's Vision model, the Heath - Commander's Intent, etc.). It's not just about positivity, it's about impact and transformation. Positivity plays a role, but don't focus only on that, otherwise it's hard to be successful in 3 months.

Good luck with your internship!

Milen
  • 1,148
  • 6
  • 12
  • Thank you. In order to tackle both my problems (short term: awareness and a list of incidents and long-term: cultural change). I am aware of the fact the culture what there should be. It will not be possible to make that and keep that within tho months. So I am working on a long-term plan to achieve this. For the short term, would it be good to keep on checking, without red cards and send an email to the persons telling them how they can lock their screens automatically etc.? And of course give compliments when things go good – johan vd Pluijm Nov 25 '17 at 16:33
1

This is a much better approach than trying to make people report violations.

First of all, people will do things that affect them or have meaning to them. So I'd suggest making it be about "this is how we protect you" rather than how to protect corporate data. Teach people how to keep their home computer secure - they'll take that seriously. Talk about how bad guys want to get access to their home computers and how they do that. Then use that knowledge to help your co-workers get interested in corporate IT security.

Sending out a "security newsletter" can be a positive thing. Talk about the positive effects that good IT security has - protecting corporate data and customer confidentiality. Talk about how HealthCare Delivery Organizations work to keep your medical record private. Don't try to scare people into security - that will only work for a little bit. If you have numbers of the times bad guys have tried getting into your network, that would be useful.

I've also seen with a security newsletter where there's a small quiz and everyone who takes the quiz is entered into a drawing for a small prize.

The best thing you can do is to ensure that you don't effect usability when doing security. That just makes users mad and gets them trying to work around controls put in place. Some times we need to, but I've also seen out-of-control security teams where "yes, we're secure" is the mantra but everyone in the company is frustrated because they have to jump through excessive hoops to do their job.

baldPrussian
  • 2,768
  • 2
  • 9
  • 14
0

You will want to try to stress the benefits of good hygiene and good security practice. You will need to put this into language that the business understands rather than in any technical or security type language.

It is hard to give more specific suggestions without being able to understand the kinds of security initiatives you have but as it is an IT company, the first topic might be that of customer trust. Having good security practices that are well documented, having certified processes and tools, having clear standards & processes. All these things can work towards your customers being able to trust you more - this is very likely to have a positive effect on the sales.

Maybe check out how Microsoft stress their security for Azure and Office 365 to see examples of how this can work. It is not for nothing that many EU government organisations now prefer Azure over other global Cloud solutions.

Julian Knight
  • 7,092
  • 17
  • 23