Raising Security Awareness in Rakuten Europe

As a first step towards raising the employee security awareness, I organised a first workshop during the annual summit of the European security leaders to frame the problem and come closer to solutions. The results is a stronger sentiment of team among the participant, and an ordered list of root causes for the problem to be addressed in later times.

Company

Rakuten

Year

2019

Time

1 month for the first part

Role

Team of One

Context

In each Rakuten company, an appointed CISO (Chief Information Security Officer) is responsible for security related matters. In Europe, these security representatives are working in various technical environnements, with different challenges and have different priorities in mind. To unite them, the EU ISO team provides guidelines and support, and hold the vision of the bigger picture : a stronger security at european level.

As in any digital company, there is a need for raising the employee’s security awareness. This project was initiated by the EU ISO team, whom wanted to try design thinking methods on this complex challenge. The dream would be to « embed security mindset into audience subconscious », so that every one can start to pay attention or adapt its behaviour.

What is « Security Awareness » ?

The triangle of information security awareness consists of Knowledge, Attitude, and Behavior. Being « security aware » means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company’s computer systems, or the physical assets of the company.

8 countries participating to EU security

Approach


Our first objective is to find footing because :

  1.  The challenge objective and scope lacks clarity because it's too broad
  2. Every stakeholder seems to have a different opinion about the challenge

2 findings from initial research


#1 Security Profiles

To compare the various security profiles in Europe, we measured their security culture after a framework created by Dr Lance Hayden. We found out that the various security profiles of Rakuten companies in Europe were well balanced.

Dr Lance Hayden

AUTHOR PRESENTATION

Dr. Lance Hayden has spent 25 years working in information security, beginning his career as a human intelligence (HUMINT) officer with the Central Intelligence Agency. He has served as a trusted advisor to government, military, and enterprise clients across industries including finance and insurance, healthcare, retail, energy, and telecommunications. He is a leading expert on cybersecurity culture and human security behaviors. He is the author of « People-Centric Security: Transforming Your Enterprise Security Culture » and « IT Security Metrics: A Practical Framework for Measuring Security and Protecting Data ».

Screenshot of the interactive radar chart to visualize the results

Erin Meyer

AUTHOR PRESENTATION

Erin Meyer is Senior Affiliate Professor in the Organisational Behaviour Department at INSEAD and specialises in the field of Cross-Cultural Management, Intercultural Negotiations, and Multi-Cultural Leadership. Erin is the Programme Director for Leading Across Borders and Cultures. She is also the author of « The Culture Map: Breaking Through the Invisible Boundaries of Global Business ». Erin’s work focuses on how the world’s most successful leaders navigate the complexities of cultural differences in a global environment.

#2 Culture Gap

I noticed several mentions of cultural gap between Rakuten europeans companies cultures, so here is an actual measure of this gap. Although the team feels like a culture gap exists, the measures showed that company culture of Rakuten european companies are very similar, unlike the regional cultures.

Screenshot of the interactive radar chart to visualize the results

"We used to think we are the experts about the issue and understand the problem precisely in some extent. After the Design Thinking workshop, I feel it was wrong. The workshop brings us the different way to approach the problem!"

Head of Rakuten EU Security

2 activities during the workshop


#1 Spectrum Mapping

To build alignement, we used spectrum mapping to get the group point-of-views about two topics

#2 Root Cause Analysis

To bring clarity to the challenge, we tried to define the most important root causes of today’s low security awareness

Take Away


Security awareness should come from executives. There is a general belief that executives need to put price tag on risks in order to take ownership of security awareness


Transparency regarding threats with employees is considered a necessary risk. This kind of communication should be done with respect to Rakuten’s reputation, after the issue is solved, and with a constructive purpose


Rakuten european CISOs are united by their way of working, and the balanced security profiles of their companies


We have prioritized together three root causes to explore later in order to raise security awareness