Protecting an organisation against cybercrime is at the top of the list for most executives. A positive security culture which effectively “co-opts” every employee onto the front line is a formidable weapon in the battle against the rising tide of security threats.
Yet, making every individual aware of their contribution and fostering partnership in a way that actively influences behaviour when dealing with security risks is a complex undertaking, even for the most straightforward of businesses.
But what if you head up a multinational, spanning different cultures as well as continents? Two major challenges spring to mind. First, there are often differences in laws, codes and regulations from one country to another. Second, and more significantly, security culture is deeply influenced by attitudes and approaches, which can vary greatly between countries and cultures.
Let us give you an example. In the course of a Security Awareness Assessment in the United Arab Emirates, we asked employees if they are aware of the security policy guidelines. The majority answered yes. However, when asked if they knew where to find the security policy, almost no one knew where to find it.
This seems like a paradox, until you take into account the cultural context. In the Middle Eastern culture, it is very common for management to give instructions and guidelines, due to the hierarchical style of culture. In terms of information security this means that employees will follow instructions from autocratic superiors on how to handle information, rather than follow written guidelines.
Security awareness campaigns and guidelines therefore have to take account of local culture and interpretation to be completely effective. In fact, what works in one country may be very different to what works in another.
As uniform as possible, as individual as necessary
Uniform regulations are very important, yet for an effective security culture to take hold and become a powerful defence against cybercrime, local culture and practice must play a big part as well.
Very often, a certain amount of compromise is necessary to ensure that there is an optimal balance between conforming to every single rule, and embedding security culture successfully throughout an organisation. In short, the guiding principle should be: As uniform as possible, as individual as necessary.
Speaking the language of security
One of the easiest challenges to overcome is language. We’ve all seen examples of less than perfect translation, but language is such an important element in culture that it has to be exactly right. We strongly recommend promoting security awareness campaigns in an employee’s native language.
It’s also really important that the translation is not only completely accurate, but that the wording and phraseology corresponds with common usage in the particular country. Overall, the translation needs to get the message across in a convincing and compelling way, which may be quite different from how it was originally written.
Brochures, information and security regulations should be translated into all relevant languages too, ideally with the involvement of a senior country manager who is familiar with both the nuances of local culture and the security needs of the organisation.
The establishment of a strong security culture is intrinsically complex but inherently valuable. Nurturing and promoting an effective culture that remains viable across different cultures and countries adds another level of complexity to the task. However, the benefits of a risk-aware, engaged and motivated international workforce, which instinctively knows how and what to protect can’t be overstated in today’s business environment.
Read the Awareness is only the first step white paper to learn more.