Six core principles

The NCSC has published a list of six core principles that it believes will help security leaders create the optimal conditions where a security culture that values security behaviours and enables people to feel safe engaging with it can thrive.

It said it hoped to help build workforces that are both high-performing and cyber secure, noting of course that all businesses are unique to some degree, and no one-size-fits-all approach can possibly cover off all the bases.

In order, the cyber security culture principles are as follows:

1. Cyber leaders should endeavour to frame security as something that enables a business to achieve its core goals. People should be encouraged to understand how important cyber is in keeping their day-to-day IT running and their data available, and how their own behaviours contribute to this. It is also important to try to frame security policies and processes as things that don’t block people from doing their jobs properly. Those working in the security function should be taught to be aware of how they might do this, and empowered to work to reduce possible negative impacts, for example, problems arising from blocking access to a third-party tool that core workers have embedded in their workflows, without first standing up an alternative, for example.
2. Cyber leaders should work to build safety, trust and processes to encourage openness. Here, good looks like creating a psychologically safe environment where people feel comfortable talking about cyber security, with quick and accessible routes to asking questions or reporting problems. Incident investigations, where needed, should be run from the perspective of learning and improving, not blaming, and innocent mistakes should never be punished.
3. Cyber leaders should work to embrace change in order to manage new threats, and take advantage of opportunities to improve resilience. Resilient organisations are, at their hearts, adaptive, and this holds true for security cultures, which should be positive about change, but cautious when rushing into making changes that may prove disruptive. People on the receiving end of new security policies should feel supported in working through their impact.
4. Cyber leaders should try to ensure social norms within their workplaces promote secure behaviours. Many businesses talk a good game but when push comes to shove, unwritten rules about what shortcuts are fine to take, and where the security team turns a blind eye, often render the security function essentially pointless. Simply asking people not to do something silly, like taking confidential files home with them on a USB stick, is not enough, leaders need to put in the work to get to the heart of the norm and address the underlying company values – in this example this could be pressure to get work done out of hours or on weekends – that make them ‘acceptable’.
5. Cyber leaders should encourage their organisations’ wider leadership teams to take responsibility for the impact their actions have on security cultures, agreeing and communicating shared purposes and making these central to decision-making. The c-suite must be leant on to model secure behaviours and positively influence the business’ social norms, and disincentivise problematic behaviour that they may have inadvertently deemed acceptable.
6. Finally, cyber leaders should provide well-maintained security rules and guidelines that are accessible and easy-to-understand. Rules should be tested to ensure they are effective, contribute meaningfully, are usable, accessible and inclusive, and aligned with the business’ shared purposes. It is particularly important to enable people to understand the difference between rules that must be followed and mere guidelines that give advice. Feedback must be constantly sought and incorporated into policies, and changes should be widely communicated with out-of-date material expunged from onboarding packs or company intranets.