Creating a Secure Information Culture

6 02 2012

by Jim Forystek

Most would associate Security in the work environment with authorization policies, server patching, damage control, and physical access control.  One might also consider ‘Security’ as its own autonomous department within an organization responsible ensuring that these security elements are enforced.  Websters defines ‘secure’ as free from or not exposed to danger or harm; safe.  On the psychological side, free from care; without anxiety: emotionally secure3.  I find it relatively easy to determine whether or not a personal situation is secure.  If I consider the security of my home, for example, I can think of the weaknesses or vulnerabilities that could potentially expose my home (and me) to a threat.  By implementing controls, i.e., locks, sensors, alarms, etc. to block or divert household threats, I not only reduce the risk of potential harm, but I also feel more emotionally secure.

I find the task of defining ‘culture’ a little more complicated.  Human Resource expert, Susan Heathfield states that “culture is made up of the values, beliefs, underlying assumptions, attitudes, and behaviors shared by a group of people.  Culture is the behavior that results when a group arrives at a set of – generally unspoken and unwritten – rules for working together2.”  Heathfield goes on to explain that “employees are most motivated and most satisfied when their needs and values are consistent with those manifested in your workplace culture.”  Values, beliefs, attitudes and behaviors are the things that define what a group is thinking.  The benefit associated with positive group behavior is the behaviors become automatic once the behavior becomes part of the organization’s culture.

Based on these definitions, the idea of instilling the tangible and psychological benefits of information security within a group’s culture sounds like a win-win situation.  Solid information security behavior that is embedded within a secure culture results in two major benefits; protected business information and a workforce that feels emotionally secure about the information that they use to do their jobs.  Creating this culture requires an alliance of the two definitions so that the values, beliefs, behaviors and attitudes of a group include protecting information from danger and eliminating anxiety associated with the threat of information exposure.  However, one problem that I see with this strategy is that most people lack the sense of anxiety from the threat of information exposure.  Therefore, I see a problem with most organizations creating the necessary cultural shift toward enhanced information security.

So why is it so difficult to accomplish the task creating information security within an organization?  Heathfield explains that “People are comfortable with the current organizational culture.  For people to consider culture change, usually significant events must occur.  An event that rocks their world such as bankruptcy, a significant loss of sales and customers, or losing a million dollars, might get people’s attention4.”  In other words, learning your lesson the ‘hard way’ can be a very effective, but an unfortunate way to change behaviors.  I believe the first step in successfully changing or enhancing any cultural element within an organization requires reason and motivation, not just fear.  Fear-based motivation may change an organization’s culture, but this method is not as effective as motivation backed by reason.  Information Security Officer David Nelson states that “scare tactics cause a lack of understanding and usually result in a loss of credibility and respect.  An organization that attempts to implement information security without attempting to change its culture misses out on the opportunity to refine its core business in the process1.”  Quite frankly, using only fear to motivate an organization can be seen as a direct attack on the organization’s emotional sense of security.  I think it’s okay to be a little nervous about your informational vulnerabilities, but not just because of fear alone.

How does an organization create or enhance a secure information culture?  Heathfield defines three high-level steps to achieving a cultural shift in the organization4.  Step 1 involves understanding your current culture.  Without a clear understanding of the organization’s culture, you cannot expect to measure the level of change.  Step 2 involves defining the strategic direction, which includes what the organizational culture should look like to support success.  Step 3, which is the most difficult step, is the individuals in the organization must decide to change their behavior to create the desired organizational culture.
Perhaps the best way to address Step 1 in your organization is to have a business associate identify sources of valuable information and have an IT associate illustrate how the information is managed and protected.  This would allow an organization to assess the current vulnerabilities with their information systems.  Step 2 would involve laying out new policies to protect and remediate the vulnerabilities identified in Step 1.  This is where the organization will get to see the first signs of what behaviors need to change.  Step 3 would involve the execution of the plan, which requires senior management support.  Support would include practicing the new policies and providing the necessary training to successfully implement.  Senior leaders must be made aware of the cost and political ramifications of an information security breach.  Without this knowledge, senior leaders may be inclined to ignore the efforts to shift the culture.  I believe the execution of the plan does not stop after it has been rolled out.  A formal audit process should be implemented to gauge the status of the cultural shift.

It can be difficult for people to see the value associated with a secure information culture.  If efforts to shift the information security culture were neatly aligned with profit margins, then perhaps the shift would be easier to implement.  The benefits of a secure information culture go beyond protecting valuable data.  They also include a more knowledgeable workforce that can work together as a team to enhance the protection of valuable assets.  When I first hired in with my company 17 years ago, our corporate safety performance was poor.  Injuries ranged from regular sprains/strains to more serious incidents, including fatalities.  Since then, my company has gone through a dramatic cultural shift to change its behavior and attitude toward safety.  Now, there is a slogan that “safety is everybody’s business.”  Not only have safety incidents dropped dramatically, but people are working smarter and more efficiently because they part of a safety culture.  The same results can be achieved to enhance the level of information security in any organization if the organization is committed to making it happen.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: