How to create a security culture
By Christophe Clement, Head of Operational Risk Management & Permanent Control, SGSS
“Financial institutions are in the business of trust and security should be in their DNA. Obviously, financial services providers must invest in the technology and in the expertise needed to protect the organisation from security breaches and rapidly detect new threats and incidents; but if a well-oiled security control framework is a necessity, a strong security culture amongst staff is indispensable.”
How to activate all your employees as sensors and defenders against security threats. How to make security everybody’s job, including the business’ and line management’s. “A risk control framework is necessary and mandatory; security culture among staff is essential”.
In any professional environment, culture is the result of the combination of the values expressed by the organisation and each employee’s personal experience in the workplace, especially their interactions with each other and with their managers. Banks with a strong client culture - as we have in Societe Generale Group - also have a strong security culture as teams know that any one incident could lead to an impact on clients and damage relationships. This culture has to permeate throughout the organisation, including its subsidiaries and locations around the world. When joining SGSS, I was impressed with the inherent team spirit in all of our locations and with the commitment that our teams demonstrate to shield our clients from inconvenience when serious issues are encountered.
In due diligence, or RFP documents, clients are increasingly asking specific questions about operational security, business continuity, information security and data protection. These have clearly become essential elements for clients.
One of the most important elements of a security culture is that staff should be comfortable with highlighting security-related issues. All employees should be able to report anomalies, mistakes or their concerns about particular practices easily, without delay and without censure. The dialogue between staff and managers should be open and easy. When a security culture is established within an organisation, all employees recognise that they have a personal responsibility for safeguarding against breaches. By encouraging the immediate reporting of mistakes or breaches, the impact on clients can be reduced. To ensure such a culture, it is essential that operational mistakes are pardoned when promptly and clearly reported.
A security culture is characterised by mutual trust among staff, managers and teams in charge of an operational security framework. This should be reinforced by a close cooperation between people responsible for the security framework and the operational teams - and proximity does imply switching roles. Societe Generale Securities Services, for example, has a dedicated division of Operation Security Managers in charge of the risk framework which is independent from SGSS management. Their role is to support and challenge the SGSS teams in operations, information security and business continuity matters. They make sure the Societe Generale Group methods and standards are applied by the operational staff (risk assessment, updated control plan, indexing and analysis of incidents, etc.). Direct involvement from operational staff members in monitoring their operations is also central to building a sustainable security culture. At SGSS, we combine the application of Group level methods and standards across businesses and locations with the fact that operational staff and managers are responsible for both designing and implementing their control plan.
Constantly raising awareness to all staff about the wide range of security threats is essential to nurturing a security culture within the organisation. At SGSS we are taking an almost “ludic” approach to developing crisis management processes; for instance, on business continuity, we organise tests and role-playing games with crisis simulations involving senior managers of the bank who do not know about the scenario in advance. Another educational activity includes sending fake phishing emails to staff in order to test their awareness of issues such as social engineering–employees clicking on a suspicious link, for instance, are redirected to an information security awareness web session. Moreover, methods and standards are not limited to the workplace environment, but should also be considered when outside of work. Employees are therefore regularly informed of security issues that may arise when they are using personal computers and other devices. We believe that awareness of security issues at home will help to reinforce security awareness at work. To keep employees up to date with the latest issues and solutions, we also provide online training sessions and conferences, and send regular internal emails about tips and tricks to improve security.
Increasingly, Chief Information Security Officers and other personnel in similar roles in the banking industry are working together to share ideas about common threats and about the new technology needed to improve security. When it comes to security, a cohesive team spirit between financial institutions is an added value for all; we are now in a period when banks are working together globally to strengthen their response to security threats.