Eugene Kaspersky has an interesting view of the information security landscape. "I recognise the fight against security as an endless war," says Kaspersky, chief executive officer of Russian security software vendor Kaspersky Lab. "It is like Harry Potter. There are good guys and bad guys fighting endlessly against each other. I have instilled this culture of endless war in our company, so that fighting viruses is not just our job, it is our life."
Kaspersky Lab's attitude to IT security is understandable given that the company makes its living securing computers. Other businesses, however, often find that a less security-conscious culture makes their employees a greater source of security risk than external threats such as criminals or hackers.
Employees do not represent risk because they are malicious. Instead they simply blunder their way into danger by visiting compromised websites or opening infected documents while at work, often because they are ignorant of the risks or assume they are protected by their employers' security controls.
Changing that behaviour, experts agree, is not best achieved by locking down computers and restricting their ability to make mistakes. Instead, staff will become less of a risk as the result of a workplace culture that values employees' role in helping to keep a business secure.
"Consumers now have a much better understanding that the internet is not a lovely place full of nice people," says David Sykes, vice-president, Pacific region, for security vendor Symantec. "They understand they have stuff they want to protect and there is broad-based awareness of the threats.
"To convert that into a security culture at work, businesses need to link that dull background awareness into an understanding that staff can lose their jobs if they do not respect security."
Ajoy Gosh, security solutions executive at LogicaCMG, believes that helping workers to improve security at home and at work can help to create a security culture.
"You need to consider the problem of many truths," Gosh says. "Employees are overwhelmed with information about security: my seven-year old came home with a pack educating parents about computer security written by the school.
"People will pick one idea and focus on it and then transfer that to other situations."
Gosh therefore advocates businesses going out of their way to educate staff about IT security, so that the work version of security becomes the baseline model that staff take into all of their computing activities, instead of relying on other sources of information that may have lower standards.
That education, he says, should emphasise personal responsibility. Many organisations need to get better at understanding that education is not about the employee or the corporation - it is about "me" and I can do it because it is easy without impacting productivity.
"If you can convince the team it is about them, you will see cultural change," Gosh says.
Rob McAdam, CEO of Pure Hacking, recommends using real-life scenarios and tests as the best way to show your team that security is their responsibility.
"You can make sure that staff and colleagues don't fall for silly things like clicking on a fake email by testing them in real life circumstances," McAdam says. "That testing determines whether they will fall for the tricks. The tricks such as phishing only work when the victim is ignorant as to how it works."
This kind of training for staff is not, however, the ultimate solution. Indeed, McAdam believes that even more important than staff training is executive determination to take the issue seriously before a security incident puts the topic in the agenda.
"From personal experience working with industry, a security culture is derived after some form of security catastrophe," he says. "Until that occurs, there's no problem. The security catastrophe creates immediate awareness and places rectification and security awareness at the top of the executive management's agenda. It's not that security is unimportant, it's just not as urgent as other issues until the catastrophe hits."
That's not a useful culture, however, for Eugene Kaspersky.
"Our culture assumes that there are bad guys and good guys and no one in between," he says. "To have good security you need to be a hero who fights the bad guys."
Australian Financial Review
©Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.