Security Culture Through the Eyes of a Young Marine

Many years ago, I was enlisted in the Marine Corps. As a young Marine I was given the opportunity to take part in the Marine Security Guard program. I received my marching orders and was off to Quantico, Virginia, for my training. Afterwards I was shipped off to the United States embassy in Pretoria, South Africa. Upon arriving at my first post, I met my Regional Security Officer (RSO). He and I had a great conversation that I later viewed as my security awareness training. Towards the end of our meeting he leaned towards me, pointed at me, and very directly said to me, “You, young man are the biggest threat to this embassy.” As a young arrogant Marine who thought he was Superman sent into the country to save the day, you can imagine how this statement startled me.

I did not give his comment much thought after our meeting until a few months later when I was standing with the ambassador in a room full of people. It was at that point that I realized what the RSO meant by calling me the “biggest threat”. As I stood in this room, I looked around and knew all the combinations to the doors and safes. I knew where the alarm system was. I knew where and how to get to the weapons in the building. While the ambassador was the most important person in the room that night, I was the biggest threat. So, I started to think to myself, in the previous months had I been aware of my surroundings and what I was saying and doing? Did I try to impress some girl at a bar by bragging about my responsibilities and job role? If any of my knowledge fell into the wrong hands, the outcome could be devastating. Within any organization, whether it is a U.S. embassy in South Africa or a small medical practice in Rhode Island, people will always pose a tremendous risk to the organization. Many data breaches and hacks are the result of an initial instance of human error, such as clicking a link in a phishing email. The role I held at the U.S. embassy included heighted responsibilities, which brought with them heightened risks.

As IT security professionals, we should view our staff the same way, regardless of their organizational level. People will always carry a certain level of risk. Therefore, it is so important to share our experience and expertise with the staff within our organization. The backbone of a good information security program is security awareness training. Security awareness training will help to create a culture of security within your organization, elevating employee awareness to threats and in turn lowering the risk that your people pose. This is why my RSO provided me with security awareness training; to help lower the risk I posed to the ambassador and the embassy.

The IT security and compliance professionals here at Compass IT Compliance work hand and hand with many organizations to provide security awareness training. In most cases, at the end of a session we will have an individual come to us with questions or a confession. While it is important to have such trainings, organizations should understand security awareness training is not a point in time event. Once the session (in-person or online) has concluded, it is up to you to continue to foster this culture of awareness via continuous training sessions, simulated phishing emails, policies and procedures reviews, and so on.

It is often said that people do not die of choking, they die of embarrassment because they are unwilling to alert someone. The same can be said for the untrained or unaware staff member who clicks that one phishing email that is not caught by your filtering software. They were not trained and tested to recognize the threat, and the organizational culture may leave them feeling too scared or ashamed to come forward in fear of punishment. They unsuccessfully attempt to remove the threat on their own, and a malicious actor is now in your systems and you are completely unaware! Your organizational security culture should not only equip employees with the training and experience to recognize threats and risks, but also encourage employees to share their mistakes that may harm the organization instead of concealing them. Only then can an organization begin mitigating one of the biggest IT risks: their people.