What Is a Human-Centric Security Culture?
Human-centric and security culture are often terms we do not find used together, more so in a strategy.
When defining what building a human-centric security culture means to your organization, it is best to understand what human-centric means in general in a company.
What is human centricity?
Human centricity means taking an approach to building your policies, processes, procedures, and guidelines integrated with an empathetic understanding and caring of your employees.
An essential aspect of developing your security culture and strategy is centering humans, your employees. Consider how your employees feel about security, their level of understanding, and how it relates to everyday operations contributing to the company's security maturity level.
When implementing human centricity into your security culture, it's essential to understand that you and your team can not please every individual's wants, desires, and archetype (a type of user or a group of people).
Some organizations might have archetypes of folks who are passionate about security and technology. On the other hand, you might have some employees who have no interest in and dislike technology. This archetype might dislike technology in general because it feels challenging. But given the right amount of care and empathy, they could be willing to learn and change their mindset towards improving their security hygiene.
Traditional security cultures
Traditionally, building a security culture is often centered around strict industry certifications, policies, laws, and regulations such as GDPR, ISO 27k, and SOC. Policies are often a baseline for building a security culture, and policies can be seen as restrictive. They can seem like a "meaningless" hindrance to work and productivity.
Often, security cultures include informing instead of listening and understanding. Security professionals are taught that employees in the organization are the most significant risks and to "manage those risks." It's common to see employees as threats instead of a collaborative approach where employees are viewed as potential allies and champions.
When building a security culture, there should be a balance of overall business goals, security risks, and gauging security maturity.
What does it take to integrate human centricity into your security culture?
Three simple steps to get started:
1. Understand the company's business goals, assess the current security maturity level, and identify the present security culture.
Meet with the company stakeholders, including C-suite, if possible. They can help provide information on business goals such as plans for its growth, geographical expansion trajectory, past unmet goals, and more!
Identifying the security maturity and culture entails working closely with the IT, Compliance, and Legal departments. It's crucial to meet with each department to assess the implementation status of policies and controls. In some organizations, policies and controls may be ineffective due to being partially implemented because of weak strategy and lack of employee alignment.
2. Build relationships with all people of the organization and define archetypes.
Build relationships with various employees within the company—interns, stakeholders, management, and folks with long tenure in the company. Talking to these diverse sets of folks will help you understand the company's general view of security. This is especially true for management, as they are most likely to influence change and help move improvements forward.
Build your procedures and guidelines based on these different archetypes. Perhaps if you are in an organization with many folks who are not technically inclined, it's best to ensure guidelines, processes, and procedures should be simple for anyone of any reading level to understand.
Determining archetypes can be done in various ways, whether through employee onboardings or having coffee chats. The human-centric part of this step is exploring the different methods of communication and feedback. Some may be open to coffee chats, lunch, Slack-based discussions, or anonymous surveys.
Hearing the different perspectives within the company will help you narrow down at least 3-5 archetypes that you can use as a baseline to creating your human-centric strategy within your security culture.
3. Regularly review your employee perception towards security, the company's security maturity, and overall effectiveness.
Continuously inquire with employees for honest feedback and areas of improvement your security team can make. The direct feedback will help you determine if you are following the right path.
A key aspect of building a human-centric security culture is building relationships with everyone, showing respect, and creating a personalized experience based on archetypes and departments. When a company understands its different archetypes, security maturity, you can build a strategy for your human-centric security culture focused around these archetypes.
An essential part of building a human-centric security culture is always keeping your employees first when cultivating your security culture, leading with empathy and understanding.