My name is Dawn Carrington, and I am Security Culture Change Lead in the Digital and Technology team.
For as long as I can remember I’ve wanted to do work that makes a positive impact in people’s lives. At the MoJ my role is essentially to activate our human firewall, by reinforcing positive security behaviours in our workforce. This helps to ensure the sensitive data we manage on behalf of the vulnerable people we serve doesn’t get into the wrong hands, and to keep ourselves and our colleagues safe.
Soon after I joined, the entire organisation was thrust into Covid lockdown, meaning online remote working quickly became the ‘new norm’. Like most organisations, this new way of working meant a change in our threat landscape, and security culture.
A security culture can be defined as "shared values and beliefs that interact with an organisation's structures and control systems to produce behavioural norms". It requires regular care from the top down, as it is not something that grows in a positive way by itself. An organisation’s leaders need to invest in it.
During the lockdown we’ve made the most of existing technologies and controls, using them in new ways, to enable those working from home to do so securely. We’ve produced a range of new good practise guidance on remote working. However, it's people who can make or break security.
What have we been doing
The changes brought about by Covid are profound, and the impact is similar for any organisation.
At the MoJ we’re implementing CPNI’s 5 E’s model to reinforce strong security behaviours in our people. To date we’ve delivered a wide range of interventions to increase positive behaviours, including:
- a welcome video for new joiners from the Chief Security Officer, Amie Alekna
- a 'Remote Working Security Briefing’ for our Senior Leaders, cascaded to staff
- interactive line manager training sessions
- all-staff ‘bitesize’ awareness sessions
- a leaflet outlining positive security behaviours
- a fun video message from our Chief Security Officer and her family, reinforcing key messages about secure working practices whilst at home
- security culture microsite, with resources, videos and training materials to increase knowledge of our policies among our workforce
Equally as important, we’ve launched a one-stop email address for security-related enquiries and incident reporting, which encourages more conversations earlier on about security.
It is vital that every organisation instils the concept that security belongs to everyone and reinforces positive security behaviours. At the MoJ, next, we’ll be:
- developing an ambitious Security Academy to establish and build good security practices across the MoJ, which we’ll be sharing across wider government.
- measuring our culture through a staff survey, so that we have something to track progress against.
- creating a network of security champions across the business to keep security awareness and behaviours high. Such networks are highly effective in my experience in embedding strong security behaviours in local teams.
As we continue to deliver the Security Culture Programme we’ll be looking for opportunities to celebrate our successes and to reward and recognise those who do the right thing.
Alongside this, we are working hard to enable good behaviours and avoid a ‘blame’ culture, recognising our users are the strongest link in our security story. It's important to create an environment where people feel safe to report incidents; the sooner we know, the sooner we can help.
Eighteen months of remote working has fundamentally changed the way that government, its employees, and crucially the flow of information around and between systems takes place.
The technology hasn't changed however the way people use it has and might now be working in a hybrid way. Every organisation on the planet must now address the cultural implications of this 'new norm’.