Cultural audits do not have to be large, lengthy audits that track behaviours over time to add value. What follows is an example of a short, targeted audit focused on security culture in a small government agency to support their journey in maturing their security culture against a tight resourcing framework.

Context

Early discussions in planning for an audit of IT security established that management had strong awareness of the gaps in ICT security arrangements. Several improvements had recently been made with more being underway. It was clear that understanding how staff interact with security practices would be of greater value than a traditional compliance assessment against the Protective Security Policy Framework or Essential Eight.

Although the agency is small, its workforce is disaggregated with staff working remotely and across different geographies. This makes it difficult to get a sense for the security culture of the agency.

Internal Audit Value Proposition

In this context, an audit of the ICT security culture can:

• Provide intelligence on the attitudes towards information security and awareness of key requirements at a grassroots level
• Help to understand how effective recent improvement efforts have been
• Guide communication delivery for future improvement initiatives

Our Approach

Key aspects of our approach to this audit included:

Outcomes

This audit provided insights on targeting improvement efforts to make the most impact to the agency. This included intel on areas that key security considerations at front of mind and attitudes towards recent efforts to strengthen arrangements. It also stressed the importance of sharing the “why” in making changes in multiple ways to resonate with different teams. This can make a difference in how on-board staff are to changes, even in the face of operational challenges they may face in tightening security measures.

The audit also highlighted the effectiveness of lessons learned from past security issues staff had encountered on the security culture of the agency, be it in their personal lives or at some point in their career. In a similar vein, many interviewees commented that our lines of questioning prompted them to think about how they meet security obligations day-to-day.

Lessons Learned

In delivering this cultural audit, we identified strengths in our approach as well as opportunities for improvement. The key lessons to take away include:

• Not being daunted by the prospect of a cultural audit – be clear on the outcomes sought, pick your focus, think through how best to engage with stakeholders, design data collection with a view in mind on the analysis sought.
• Consistency is important – the baseline questions and scenario-based questions allowed for us to compare attitudes and approaches between branches. The less structured follow on questions allowed us to hone in on the challenges staff faced and explore their honest approach to meeting security responsibilities alongside other competing priorities
• Take steps to make interviewees feel comfortable – the interviews where staff felt more comfortable were those that led to more open commentary and powerful insights. Reinforcing the confidentiality of the conversations and setting aside a full hour allowed most interviewees to relax and provide genuine feedback.