Wanted: Security Cultural Artifacts
I was in a meeting and someone from another company (but with a good reason to want to know) asked me, Does your organization respect the need for security or do they view the requirements you bring to them as an annoyance and a burden? In other words, he asked if we have a good security culture.
I told him that I am indeed fortunate that when I add security requirements to a project, or alert admins to a newly-uncovered flaw that make their systems less secure, it is always a welcome addition. I know there are plenty of organizations where this is not true: where "Security" shows up and eyes begin to roll even before s/he speaks. So I know I am lucky this way.
But he went on to ask, How can you show me that? And that stopped me cold. I realized that, even though I am in a good security culture I don't really have artifacts to demonstrate that fact. I can show that awareness training takes place... but not that people are happier for having been trained. I can show that risk mitigation is done (and on time!)... but not that anyone welcomed the tasks or was glad to do them.
We security practitioners always talk about wanting to have this kind of security culture in our organizations. How do we know when we get it? It's like Justice Stewart's famous non-definition of obscenity: "I know it when I see it." But if it has business value -- and I believe we'd insist to our last breath that it does -- then it should be measurable. So how is it measured?
I don't think a survey can truly measure something like this. I am fairly sure that responses to surveys of employees are skewed in the direction of "good news." Employees know what answers their employer wants, and protestations of the survey manager that all responses are confidential and anonymous might be a tad more credible if the survey link didn't arrive in the company email inbox sporting a 56-character random-looking string after the '?' in the URL.
In any case, now I am now on the hook to produce artifacts of the good security culture in which I work, and I am not sure what those might look like.
Have you ever been asked for such things? Or perhaps you know of a way to measure "security culture?"