ebook img

People-centric security : transforming your enterprise security culture PDF

416 Pages·2016·15.299 MB·English
by  HaydenLance
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview People-centric security : transforming your enterprise security culture

AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Blind Folio i People-Centric Security Transforming Your Enterprise Security Culture Lance Hayden New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto 00-FM.indd 1 11/08/15 11:55 AM Copyright © 2016 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-0-07-184679-0 MHID: 0-07-184679-4 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-184677-6, MHID: 0-07-184677-8. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Blind Folio iii To Jayne and Wyatt, because everything. 00-FM.indd 3 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Blind Folio iv About the Author Dr. Lance Hayden is a managing director in the Technology Advisory Practice of BRG, an international strategy and research firm. Dr. Hayden’s security career spans 25 years across the public, private, and academic sectors. His interest in human security behaviors and culture began while a HUMINT operations officer with the Central Intelligence Agency, and continued in security roles at companies including KPMG, FedEx, and Cisco. Dr. Hayden provides expert advice and consulting on information security strategy, measurement, and culture to companies and governments around the globe. In addition to People-Centric Security, he is the author of IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data, also from McGraw-Hill Education. Lance received his PhD in information science from the University of Texas, where he also teaches courses on security, privacy, and the intelligence community. He lives in Austin. About the Technical Editor David Phillips has been protecting clients’ IT systems for over 20 years, including technical mitigation, information security risk programs, IT network security architecture, and regulatory compliance. David developed a growing professional service business inside a multinational networking corporation focused on cybersecurity, protecting clients’ intellectual property and customer data, and securing networks to allow for resilient IT infrastructure in the face of cyberattacks. His clients have included multibillion-dollar businesses in the retail, finance, manufacturing, energy, and healthcare verticals. David has worked with global enterprises to measure and mature their security capabilities across people, process, and technology, spanning levels from technology management to security awareness and security cultural transformation. David lives outside of Austin, Texas. 00-FM.indd 4 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Contents at a Glance Part I Understanding Your Security Culture Chapter 1 Information Security: Adventures in Culture Hacking   . . . . . . . . . . . 3 Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture   . . . . . . 19 Chapter 3 Organizational Culture: A Primer   . . . . . . . . . . . . . . . . . . . . . . 39 Chapter 4 Cultural Threats and Risks   . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Part II Measuring Your Security Culture Chapter 5 The Competing Security Cultures Framework   . . . . . . . . . . . . . . . . 81 Chapter 6 The Security Culture Diagnostic Survey (SCDS)   . . . . . . . . . . . . . . . 115 Chapter 7 Creating Culture Maps with the Security Culture Diagnostic Survey   . . . 139 Chapter 8 Implementing a Successful Security Culture Diagnostic Project   . . . . . . 159 Part III Transforming Your Security Culture Chapter 9 From Diagnosis to Transformation: Implementing People-Centric Security   . . . . . . . . . . . . . . . . . . . . 189 Chapter 10 Security FORCE: A Behavioral Model for People-Centric Security   . . . . . 201 Chapter 11 The Security Value of Failure   . . . . . . . . . . . . . . . . . . . . . . . . . 219 Chapter 12 The Security Value of Operations   . . . . . . . . . . . . . . . . . . . . . . 239 Chapter 13 The Security Value of Resilience   . . . . . . . . . . . . . . . . . . . . . . . 263 Chapter 14 The Security Value of Complexity   . . . . . . . . . . . . . . . . . . . . . . 285 v 00-FM.indd 5 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter vi People-Centric Security: Transforming Your Enterprise Security Culture Chapter 15 The Security Value of Expertise   . . . . . . . . . . . . . . . . . . . . . . . 309 Chapter 16 Behavior and Culture: Mastering People-Centric Security   . . . . . . . . . 333 Chapter 17 Leadership, Power, and Influence in People-Centric Security   . . . . . . . 357 Chapter 18 Securing a People-Centric Future   . . . . . . . . . . . . . . . . . . . . . . . 369 Index   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 00-FM.indd 6 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Contents Foreword   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Acknowledgments   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii Introduction   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Part I Understanding Your Security Culture Chapter 1 Information Security: Adventures in Culture Hacking   . . . . . . . . . . . 3 Burnt Bacon   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Safe and Not Secure   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 What Were You Thinking?   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Culture Hacking   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Software of the Mind   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 A Brief History of Culture Hacking   . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Security Culture: Hack or Be Hacked   . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Who’s Hacking Your Security Culture?   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Security, Hack Thyself   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Culture Hacks: The Good   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Culture Hacks: The Bad   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Culture Hacks: The Ugly   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Security Is People!   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Further Reading   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 2 Strategy for Breakfast: The Hidden Power of Security Culture   . . . . . . 19 Why Security Fails   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 We Start with a Design   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Warning Signs   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Doing More with Less   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Who Moved My Fence?   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Look Out Below!   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Getting the Drift   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 vii 00-FM.indd 7 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter viii People-Centric Security: Transforming Your Enterprise Security Culture The Opposite of Monoculture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Cultural Traits in Information Security   . . . . . . . . . . . . . . . . . . . . . . . . . 30 Competing Values and Security Threats   . . . . . . . . . . . . . . . . . . . . . . . . . 34 The Change Agents of Security Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 The C-Suite   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Security Awareness Teams   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Security Researchers   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Security Practitioners   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Making Security Cultural   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Further Reading   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Chapter 3 Organizational Culture: A Primer   . . . . . . . . . . . . . . . . . . . . . . 39 The Field of Organizational Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Origins   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Outcomes   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 The Culture Iceberg   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Hidden Aspects   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 People Powered   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 The Organizational Cultural/Organizational Performance Link   . . . . . . . . . . . . . . . . 47 Assessing and Measuring Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Qualitative vs. Quantitative Measurement of Culture   . . . . . . . . . . . . . . . . . . 49 Qualitative Measures and Techniques   . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Culture by the Numbers   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Challenges of Cultural Transformation   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 There’s No One Right Way to Change Culture   . . . . . . . . . . . . . . . . . . . . . . 54 You Have to Include Everybody   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 You Have to Build Consensus   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 You Have to Evaluate the Outcomes   . . . . . . . . . . . . . . . . . . . . . . . . . . 55 You Have to Have Good Leadership   . . . . . . . . . . . . . . . . . . . . . . . . . . 56 An Ocean of Research   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Further Reading   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Chapter 4 Cultural Threats and Risks   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Cultural Threat Modeling   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Covert Processes and Cultural Risk   . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Getting to Know PEPL   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Political Threats   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Emotional Threats   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 00-FM.indd 8 11/08/15 11:55 AM AppDev / People-Centric Security: Transforming Your Enterprise Security Culture / 677-8 / Front Matter Contents ix Psychological Threats   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Logistical Threats   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Cultural Competition as a Source of Risk   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Sizing Up the Competition   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Further Reading   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Part II Measuring Your Security Culture Chapter 5 The Competing Security Cultures Framework   . . . . . . . . . . . . . . . . . 81 Measuring Security Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Quantitative Data and Analysis   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Qualitative Data and Analysis   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Combining the Qualitative and Quantitative   . . . . . . . . . . . . . . . . . . . . . . 88 Other Ways of Describing Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 The Competing Security Cultures Framework   . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Origins of the CSCF in Competing Values Research   . . . . . . . . . . . . . . . . . . . 94 Adapting the Competing Values Framework to Security   . . . . . . . . . . . . . . . . 96 The CSCF Quadrants   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Overlapping and Competing Values   . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Limitations of the Framework   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Why Not Just Use the Competing Values Framework?   . . . . . . . . . . . . . . . . . . . . . 102 Security Culture Benefits From a Targeted Approach   . . . . . . . . . . . . . . . . . . 102 Not Everything in the Competing Values Framework Translates Well   . . . . . . . . . . 103 Organizational Security Cultures   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Process Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Compliance Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Autonomy Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Trust Culture   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Further Reading   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Chapter 6 The Security Culture Diagnostic Survey (SCDS)   . . . . . . . . . . . . . . . 115 SCDS Format and Structure   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 How Surveys Work   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Questions in the SCDS   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 SCDS Scoring Methodology   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Scoring the SCDS Results   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 00-FM.indd 9 11/08/15 11:55 AM

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.