Qualitative Security Culture Test 1: The money maker word on the street

The first engagement I always choose to use to validate a security lead's claim of "We have a strong security culture" is to walk the halls of the revenue generators (Advisors in finance, lawyers in legal consulting, operations in supply chain, etc.,) and ask two simple questions:

  1. What specific security expectations does the enterprise hold you accountable to?
  2. What security behavior policies are closely monitored for and remediated if violated?"

The answer will always tell me two things as a security awareness practitioner:

  1. Is security ACTUALLY embedded in the culture?
  2. Is senior leadership governing human risk in a way that employees know it is authentically taken very seriously?

If the answers are mumbled, unclear, or less than confident, this means that employees are not even aware of what constitutes as a monitored secure behavior violation, simply meaning there really is no expectation to act accordingly.

Qualitataive Security Culture Test 2: Clean Desk Policy Sweep

An overlooked culture strength, employees who consistently keep a workspace free of operational documents, locked computer screens, and blank whiteboards. While this may seem like a cutesy engagement, these policies exist for a reason, and ensuring compliance is not only important, but also promotes a strong culture by demonstrating accountability. Too many organizations insist on clean desk policies, yet rarely if ever test for it, further demonstrating to staff that security policies are suggestions, not expectations. This will literally foster a culture of convenience over security, promoted by lazy security leadership.

At least annually, preferably twice a year, simply walk work areas after hours and inspect areas for:

  1. sensitive printed documents, notes, or papers left out on desks or in plain sight when employees are away.
  2. whiteboards containing passwords, access codes, or other confidential information that should be removed or erased.
  3. computer screens are locked or logged off.
  4. unsecured removable media like USB drives, external hard drives, or backup tapes
  5. access cards, keys, or other physical access controls.
  6. general tidiness and organization of workspace, as clutter can increase the risk of accidental exposure of sensitive information.

Outside of these inspections, additionally ensure all work areas have reasonably accessible access to secure shredding bins. If they don’t, put in a formal request to change that.

Why it’s extra impactful