This blog has been contributed by the Government Security Secretariat (GSS).
If you work anywhere near government security or information assurance you will have heard the words ‘security culture’ a lot in the past few years - but what do we actually mean by it? It’s a term that we use liberally throughout our policy and guidance but is there a straightforward definition? Or is it just a substitute for not having hard and fast rules?
Security culture has arguably become quite loaded, a catch-all for a range of things including training, staff awareness, behaviours and even communications activities. Given this lack of clarity is it still a valuable term? Or now just used to describe something we can’t properly articulate and therefore perhaps time for a fresh approach?
The New Security Policy Framework has put culture and awareness front and centre of a more nuanced and commonsense approach to security. When we refer to security culture in this context, we are simply talking about creating an environment that supports a security conscious approach to work and business. As a result, ‘security culture’ doesn’t just refer to padding around a set of security processes or requirements, it refers to the totality of the business environment, a mesh between people, their workplace and processes. In this sense we need to engender something that takes account of these elements, rather than attempts to enforce something new onto them.
A person’s ability to understand their workplace and make good security decisions is essential for the functioning of any business. Our feedback from many civil servants is that the security environment has become too confusing, with too many complex rules and processes. Perhaps some of this confusion and complexity stems from the fact that we (the security community) have a tendency to think backwards from scenarios that we don’t want to occur and then enshrine a policy or control to prevent or mitigate them. By doing this we often frame security in a negative way, rather than as affirmative and forward-looking. We are also likely to differentiate it from normal workplace behaviours, such that security is something that you have to remember to do, rather that instinctively do.
The Government Security Classifications Policy is a crucial piece of this new jigsaw. We have realised that, facilitating un-thinking or rules-driven behaviour is often counter-productive. Our decision that the OFFICIAL classification should be unmarked was designed to tackle the misconception that civil servants should view the label at the top of a document, as more instructive to their handling than the content of the document itself. The new approach aims to give staff more opportunity to use their commonsense and intuition – our organisations are full of skilled and capable people, many of whom have to grapple with complex issues and make difficult decisions on a daily basis. How can we better leverage these behaviours in their native form? Can we balance our approach so that the onus is also on us to manage security risks by appreciating that given the opportunity, most people will do the right thing most of the time?
Security culture as something that is unique and separate may have served a purpose but we must now build on the progress of the last few years and aim to embed these same expectations (and the way that we describe them) into the fabric of our businesses. We must make security as straightforward as possible, work collaboratively with other business areas to achieve shared outcomes and to place greater trust in our staff to do the right thing - being very clear about the consequences when they don’t. We shouldn’t rely on the label security culture as a shorthand for all these things, but instead must continue to develop our understanding of what a strong, security-aware culture looks like in a modern and effective civil service.