audio

---

1. How do you even define good security culture? What is good?

"That's an excellent question! There are two ways of answering that question. The pragmatic or difficult, if you like, is to say that: well, that actually boils down to you. You have to figure out what 'good' means to you. And in this context of security culture, and if you choose to go down that route —which is fine, you can do that— I strongly suggest that you look at a specific set of behavior, but remember the plasticity and the norms and ideas that you want your organization to have. But the other approach of defining good security culture is to use the 'security culture survey' and have a score of 80 or above. Then you actually know that you have a good security culture using a validated and reliable measurement instruments.

2. Is there a point where security culture starts and stops? Or is it is something that we should be having 24\7 in the back of our head?

"So I think that it's important here to differentiate between the 'cultural side' of things: which is how we behave, think, and our customs in a specific group. And 'your' — so you as an individual, how you think how you behave, when it comes to security. And if we start with the latter: I believe that you as an individual, always needs to be vigilant, and take precautions when it comes to any kind of, you know, 'stop-think-click', right? Because it matters —your brain is really fascinating in that way, right? So as an individual, you need to be vigilant. In your organization, you also need to be vigilant, but it's a different kind of vigilance. Because in a group of people, you will observe what other people are doing, you will listen to what they are saying. And then you will let those kind of insights and inputs, control or at least direct your actual behaviors. And the challenge today is that most of us are working from home —or me from my camper van out in Norwegian forest. But the challenge then, is that I don't go into the office; you don't go into the office; the person listening and watching that don't go into the office anymore. And what happens then we no longer get that social interaction, that will help us choose our beliefs, and our behaviors. And in that regard, I believe that both us and individual need to be more vigilant, but also the organization you work for, need to change how they do security awareness trainings, and of course security behavior assessments, and understand that the situation is very different now. So the way we deal with this needs to be different.