I appreciate that organizations are beginning to realize that they need to understand their corporate culture in their implementation of awareness programs. It is long overdue. Unfortunately as a concept, it is being grossly misapplied. In short, you don’t want to adhere to culture, you want to improve culture.
To utilize culture, you need to understand what a security culture actually is. When I co-wrote Advanced Persistent Security, the best definition that my co-author and I found was that security culture is the consolidated behaviors within an organization as they pertain to security. While it is a concise definition, it is not intuitively easy to understand and apply.
In many ways, a security culture is peer pressure and as such is self-perpetuating. Think of an organization dress code. If everyone wears a suit (or female equivalent) to work, anyone not wearing a suit will usually feel awkward and frequently be instructed to wear a suit in the future. Alternatively, if nobody wears a suit, anyone wearing a suit will be blatantly or subliminally pressured into not wearing a suit in the future.
With security, consider wearing badges. As a consultant who helps organizations with awareness programs, I frequently go to customer facilities and when I am provided with a badge, I put it on and wear it appropriately. However, as I walk around the facility, if I am the only person wearing the badge, I will take it off, as I don’t want to stand out. That is would be true for everyone in an organization, including new employees. This is true for writing down passwords or not. This is true for allowing tailgaters through doors or not. This is even true for phishing for the most part.
A security culture creates and reinforces security behaviors. These security behaviors are not just for preventative behaviors, but for detection and reaction as well. For example, protection involves employees knowing to clean their desktops and lock the drawers at the end of the day. Detection means that employees will notice when there are other assets that are not locked up. Reaction means that when an employee detects that assets are left vulnerable, they know to what to do in response.
In the above example, in a strong security culture, people will be instructed how to behave and act. They will be walked through the process of closing up their desk at the end of the day, and also told how to police the area before departure, if they are the last person to leave. If a person leaves their area unsecured, another person will notice and inform them of the issue. If they don’t, a security guard will likely perform rounds and find the issue.