Case Study

How to roll out a security awareness program in an international company

As a first step towards raising the employee security awareness, I organised a first workshop during the annual summit of the European security leaders to frame the problem and come closer to solutions. The results is a stronger sentiment of team among the participant, and an ordered list of root causes for the problem to be addressed in later times.

Client

Rakuten

Année

2019

Durée

1 month

Rôle

Project Manager

Context

In each Rakuten company, an appointed CISO (Chief Information Security Officer) is responsible for security related matters. In Europe, these security representatives are working in various technical environnements, with different challenges and have different priorities in mind. To unite them, the EU ISO team provides guidelines and support, and hold the vision of the bigger picture : a stronger security at european level.

As in any digital company, there is a need for raising the employee’s security awareness. This project was initiated by the EU ISO team, whom wanted to try design thinking methods on this complex challenge. The dream would be to « embed security mindset into audience subconscious », so that every one can start to pay attention or adapt its behaviour.

What is security awareness?

The triangle of information security awareness consists of Knowledge, Attitude, and Behavior. Being « security aware » means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company’s computer systems, or the physical assets of the company.

How international was this challenge?

Change the color to match your brand or vision, add your logo, choose the perfect layout, modify menu settings, add animations, add shape dividers, increase engagement with call to action and more. Change the color to match your brand or vision, add your logo, choose the perfect layout, modify menu settings, add animations, add shape dividers, increase engagement with call to action and more.

Approach

Our first objective was to find footing because :

  1. The challenge objective and scope lacks clarity because it’s too broad
  2. Every stakeholder seems to have a different opinion about the challenge

From our initial research, we discovered two facts

1 • From the analysis of security profiles

To compare the various security profiles in Europe, we measured their security culture after a framework created by Dr Lance Hayden. We found out that the various security profiles of Rakuten companies in Europe were well balanced.

2 • From the analysis of the culture gaps

I noticed several mentions of cultural gap between Rakuten europeans companies cultures, so here is an actual measure of this gap. Although the team feels like a culture gap exists, the measures showed that company culture of Rakuten european companies are very similar, unlike the regional cultures.

More about the authors I referenced in my work

Erin Meyer is Senior Affiliate Professor in the Organisational Behaviour Department at INSEAD and specialises in the field of Cross-Cultural Management, Intercultural Negotiations, and Multi-Cultural Leadership. Erin is the Programme Director for Leading Across Borders and Cultures. She is also the author of « The Culture Map: Breaking Through the Invisible Boundaries of Global Business ». Erin’s work focuses on how the world’s most successful leaders navigate the complexities of cultural differences in a global environment.

Dr. Lance Hayden has spent 25 years working in information security, beginning his career as a human intelligence (HUMINT) officer with the Central Intelligence Agency. He has served as a trusted advisor to government, military, and enterprise clients across industries including finance and insurance, healthcare, retail, energy, and telecommunications. He is a leading expert on cybersecurity culture and human security behaviors. He is the author of « People-Centric Security: Transforming Your Enterprise Security Culture » and « IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data ».

These discoveries oriented the workshop's activities

Participants were CEOs, CTOs, or high C-executive with a busy schedule. One hour was the maximum they could dedicate to the workshop and I had a duty to respect this timing very precisely.

Spectrum Mapping

To build alignement, we used spectrum mapping to get the group point-of-views about two topics

Root Cause Analysis

To bring clarity to the challenge, we tried to define the most important root causes of today’s low security awareness

"We used to think we are the experts about the issue and understand the problem precisely in some extent. After the Design Thinking workshop, I feel it was wrong. The workshop brings us the different way to approach the problem!"

Head of Rakuten EU Security

In 1 month, we moved from chaos to an organized roadmap

Security awareness should come from executives

There is a general belief that executives need to put price tag on risks in order to take ownership of security awareness

Transparency regarding threats with employees is considered a necessary risk.

This kind of communication should be done with respect to Rakuten’s reputation, after the issue is solved, and with a constructive purpose

Rakuten european CISOs are united by their way of working

and the balanced security profiles of their companies

What topics to address with higher priority

We have prioritized together three root causes to explore later in order to raise security awareness

Do you want to work with me? Book a discovery meeting

Let's meet !