TIME IS ON YOUR SIDE - Build a Security Culture (2015)

Build a Security Culture (2015)


You have successfully reached the end of this book on security culture. You have learned what security culture is and how it relates to security awareness. You have tapped into social sciences with a focus on psychology, so we can better understand how people interact, behave and inform their actions. This is knowledge that is important to have when bringing about cultural change. You have also read about security culture metrics and how to use the Security Culture Framework to build and maintain security culture.

There are a few final things I need to share with you.

Reading this book does not make you an expert on this topic. Even writing this book, I do not consider myself the one know-it-all - there are so many different aspects of culture, people and behaviours that we still do not understand. That is one of the reasons I am back at the University of Oslo where I am reading psychology. I want to help the industry by building a body of knowledge on security culture. I am dedicating my time and resources because I believe it is important for us as an industry to understand people for real, if we want to bring about change.

However, reading this book shows that you, just like me, are interested in this topic. Hopefully that means you will bring about positive change in your organisation now and later. I also hope you find it interesting to learn more about culture, diversity, learning and communication. There is an abundance of topics related to security that is not directly to do with malware, firewalls and pen testing. These topics are not at all new. Since the dawn of human existence we have built security culture into our societies. I see no end to the need for understanding how we can become even better at this.

Changing culture takes time. Sometimes it works, other times it doesn’t. Scientists disagree about the reasons and the methods. There are an unknown number of unknown factors that may or may not apply to your success. One thing is for sure, though: if you are not in charge of the culture yourself, culture will be in charge of you. Set your goals, and work towards them. Small steps does it.

My experience shows that a structured approach is more likely to yield success than any of the happy-go-lucky approaches I’ve seen. A programme that brings about change also plays with all elements of culture: technology, policies and people. Sometimes they succeed right away, and other times they need a number of tries.

What I see in the programmes we run is that time is an important asset. Have a long perspective. And by long, I mean 3-5 years’ time. Longer if possible. Create a vision, or big goals for that period, and break it down into smaller targets you can use as milestones. Have at least one yearly target, and work to reach that one. Adjust your course as you learn more. And never settle down!

Building and maintaining culture is not something you do once and then you’re done. It’s an ongoing, never-ending process. Either you are in charge of it, or it controls you. Think of culture as a constant feedback loop creating a mutual change-cycle. You are part of the culture, part of that feedback loop, feeding it with your own behaviours, ideas and customs. The more of you who join forces and feed it with common behaviour, the more the culture will impact the others too. Use it to your benefits!

I welcome your insights, ideas and thoughts on the Security Culture Framework community at securitycultureframework.com. Let us join forces and build better security culture!


IT Governance Ltd sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners.

The ITG website (www.itgovernance.co.uk) is the international one-stop-shop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy.

Publishing Services

IT Governance Publishing (ITGP) is the world’s leading IT-GRC publishing imprint that is wholly owned by IT Governance Ltd.

With books and tools covering all IT governance, risk and compliance frameworks, we are the publisher of choice for authors and distributors alike, producing unique and practical publications of the highest quality, in the latest formats available, which readers will find invaluable.

www.itgovernancepublishing.co.uk is the website dedicated to ITGP. Other titles published by ITGP that may be of interest include:

• CyberWar, CyberTerror, CyberCrime


• Governance and Internal Controls for Cutting Edge IT


• The Case for ISO27001: 2013


We also offer a range of off-the-shelf toolkits that give comprehensive, customisable documents to help users create the specific documentation they need to properly implement a management system or standard. Written by experienced practitioners and based on the latest best practice, ITGP toolkits can save months of work for organisations working towards compliance with a given standard.

To see the full range of toolkits available please see:


Books and tools published by IT Governance Publishing (ITGP) are available from all business booksellers and the following websites:






Training Services

Staff training is an essential component of the information security triad of people, processes and technology, and of building a security culture in an organisation. IT Governance’s ISO27001 Learning Pathway provides information security courses from Foundation to Advanced level, with qualifications awarded by IBITGQ.

The ISO27001 Learning Pathway comprises the following courses:

• Foundation level

Image ISO27001 Certified ISMS Foundation course

Image ISO27001 Certified Internal Auditor course

Image Information Security Foundation based on ISO27002 course.

• Advanced level

Image ISO27001 Certified ISMS Lead Implementer Masterclass

Image ISO 27001 Certified ISMS Lead Auditor course

Image ISO27005 Certified ISMS Risk Management course

Image ISO 27001:2013 ISMS Certified Transition course.

Many courses are available in Live Online as well as classroom formats, so delegates can learn and achieve essential career progression from the comfort of their own homes and offices.

Delegates passing the exams associated with out ISO27001 Learning Pathway will gain qualifications from IBITGQ, including CIS F, CIS IA, CIS LI, CIS LA, CIS RM and CIS 2013 UP).

IT Governance is an acknowledged leader in the world of ISO27001 and information security management training. Our practical, hands-on approach is delivered by experienced practitioners, who focus on improving your knowledge, developing your skills, and awarding relevant, industry-recognised certifications. Our fully integrated and structured learning paths accommodate delegates with various levels of knowledge, and our courses can be delivered in a variety of formats to suit all delegates.

For more information about IT Governance’s ISO 27001 learning pathway, please see: www.itgovernance.co.uk/iso27001-information-security-training.aspx.

For information on any of our many other courses, including PCI DSS compliance, business continuity, IT governance, service management and professional certification courses, please see: www.itgovernance.co.uk/training.aspx.

Professional Services and Consultancy

ISO27001, the international standard for information security management, sets out the requirements of an information security management system (ISMS), a holistic approach to information security that encompasses people, process, and technology. Only by using this approach to information security can organisations hope to instil an enterprise-wide culture of security.

Implementing, maintaining and continually improving an ISMS can, however, be a daunting task. Fortunately, IT Governance’s consultants offer a comprehensive range of flexible, practical support packages to help organisations of any size, sector or location to implement an ISMS and achieve certification to ISO27001.

We have already helped more than 150 organisations to implement an ISMS, and with project support provided by our consultants, you can implement ISO27001 in your organisation.

At IT Governance we understand that information security is a business issue, not just an IT one. Our consultancy services assist organisations in properly managing their information technology strategies and achieving strategic goals. The benefits of choosing an IT Governance Consultancy Service are:

• We speak business, not technology: we are technology literate business consultants.

• We are vendor neutral, technology independent and framework agnostic, and tailor our consultancy to your organisation.

• Our transparent pricing enables you to control your costs.

• We have over ten years’ consultancy experience.

• We have a proven track record, working with organisations worldwide.

• We help you increase internal buy-in to your project by using your resources.

• We focus on transferring knowledge and skill to the people within your organisation.

For more information on our ISO27001 consultancy service, please see: www.itgovernance.co.uk/iso27001_consultancy.aspx.

For general information about our other consultancy services, including for ISO20000, ISO22301, Cyber Essentials, the PCI DSS, Data Protection and more, please see: www.itgovernance.co.uk/consulting.aspx.


IT governance is one of the hottest topics in business today, not least because it is also the fastest moving.

You can stay up to date with the latest developments across the whole spectrum of IT governance subject matter, including; risk management, information security, ITIL and IT service management, project governance, compliance and so much more, by subscribing to ITG’s core publications and topic alert emails.

Simply visit our subscription centre and select your preferences: