Issue link: https://insights.oneneck.com/i/1476862
8 The 7 dimensions of security culture A metric is a standard of measurement Imagine the following conversation between a CISO and his CEO. The CISO reports, "We have positive security culture in our organization." The CEO responds, "Great, but what does that mean? How do you know?" Pushing further, he asks, "Does this mean we are better than X, Y or Z? How does this impact our risk?" The challenge for the CISO is that unless she has a way to measure security culture, she cannot answer his questions. She may have opinions to offer CEO, or reasons, but it will be very difficult for her to back those up without strong empirical evidence. To provide that evidence, a security culture metric is needed. A metric is a standard of measurement. Because it is a standard, everyone has a clear understanding of what it is, what it measures, and what it is not measuring. Despite the fact that the words mass and weight are commonly used interchangeably, everyone understands that a kilogram measures mass; not weight. Security culture metrics serve the purpose of measuring security culture, they are not measuring awareness training completion rates or phishing assessments. Security culture metrics measure the sentiments towards security in an organization - the psychological and social aspects that drive individual and social behavior. By using a standardized metric to measure security culture in the organization, the CISO can provide good answers for the CEO. She can create a baseline measurement for comparison to consecutive measurements, and even track progress against industry benchmarks. Security culture metrics provide a way to demonstrate how the heart and minds of an organization are changing, and reveal how strong the bricks and mortar of your human firewall is. CLTRe provides standalone, unbiased and independent security culture metrics. With our solution, organizations can take an evidence-first approach to measure, improve and document the changes in their security culture – knowing that the effects can be compared in a meaningful way.