Book Review - The Security Culture Playbook

Security Awareness and Training programs have been there for a long time. These programs lack the ability to continuously influence and improve security culture effectively. At times when it happens, it is ad-hoc and there is no structured way to adopt and implement.

Perry Carpenter and Kari Roer underscore the fact that awareness is only half the battle of the human layer defense equation which does not translate to the intended behavior that can influence security culture. They offer a proven recipe to build a security culture program end to end through their book "The Security Culture Playbook". The content is divided into three parts - Foundation, Exploration, and Transformation.

The Part I - Foundation, focuses on the definition of security culture, upleveling the conversation, and laying out the foundations of transformation. The first chapter elaborates on what a security culture means to various organizations. Next chapter underscores the significance of telling the human side of the story to executives and upleveling the conversation. This also involves the implications of not getting the human layer right. Third chapter clears the air with the three realities of security awareness (that are obvious but often ignored) before introducing the security culture maturity model (SCCM). The model is data driven and introduces the Culture Maturity Indicators (CMI) and the S-curves.

Part II - Exploration part of the book is just that. It drills further into what security culture is and the variations. The nuances surrounding information security culture, IT security culture, and Cybersecurity culture are clarified. A linear progression of security culture starting with technology focus, compliance focus, and finally human reality focus is explored. Chapter five introduces to some known behavioral economics and social science concepts. The authors suggest that considering the fact that "humans are irrational creatures", will greatly increase the success rate of your program. They further say that even though humans are irrational they do have the capacity to continually improve and that's where security culture program should focus. Chapter six defines the components of security culture and tackles the fundamental problem of defining security culture. After providing the academic and industry perspective, the authors share their working definition. But in order to facilitate measurement the authors define security culture in the form of a more prescriptive seven dimensional interconnected model. The chapter seven offers additional insights about security culture through the interviews with organizational culture experts and academics.

The final part of the book - Transformation is the actionable and prescriptive part of the book. Chapter 8 introduces the Security Culture Framework which is essentially a cyclical process - measure, involve, and engage. This is followed by introducing the Security Culture Survey which is a valuable tool to measure security culture. Chapter 10 describes various ways to influence culture. The authors mention an important observation here - "attitudes had a stronger correlation to behavior than knowledge alone". They further suggest that the security culture management program can target one of the seven dimensions described in chapter six to cause a change. The authors provide the "First two realities of security awareness" that are detrimental to improving security culture. These blockers are detailed in Chapter 11 and resolutions on how to tackle them are also covered. Chapter 12 is all about planning and maturing the security culture program. A deeper dive into the SCCM model that was introduced in Chapter 3. Examples of CMIs are provided that are an integral part of the SCCM model. A tool that Perry used for years to prepare for executive conversations in order to gain and maintain support is shared in Chapter 13. This is a great actionable tool that comes handy for any professional dealing with leadership conversations. Chapter 14 provides additional interviews with security culture thought leaders similar to Chapter 7. All these interviews provide a broader perspective and insights into how various leaders are addressing this security culture challenge. The authors offer valuable community forums, certifications, and resources to leverage in the final chapter.

If you are looking to change the security culture in your organization for the better, then this is your guide. Buy your copy on Amazon and start your security culture change journey. Check out the book site for additional information - https://www.securityculturebook.com/.