CISO Summit No 17: Security Culture - how to measure, change and optimize?

Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values. Typically, most people think that culture is rather static than dynamic.

Our observation of the recent past depicts fast changes in technological and communicative means such as the internet, smartphones, group building (including on-line groups), innovation and societal integration. An additional factor is the seamless mixture of societies, such that we work today naturally in teams from many nations, while 50 years ago, we immediately felt a difference, even from people of another city in Switzerland.

As a security offi cer, we are concerned with all three issues simultaneously: fast changes, a seamless mixture of people with different origin, and nearly any mixture of beliefs and values. Without governance and clear direction, companies might develop a nearly unlimited number of very different odd subcultures. Now begins our tasks to care for a forward-directed and agile security culture, which adapts continuously to new situations.

We will get a report from Swisscom (main issue: business IT, Mobility, and cloud) and from SBB (Main issues OT, digitization, industrial control systems), and how they approach this enormous challenge.  First turn around the employees to accept net technology, processes and human interaction, and then demand on top of these aspects a new security culture. How to keep motivation at a high level, create identification with the security controls, and protect the IPR and the data? How to measure these aspects, and how to select the best option in specific situation for well-defined change program? Now we welcome you in the world of the 17th Swiss CISO Summit.