When corporate leaders ask me how to achieve a culture of information security in their businesses, I usually tell them that they’re asking the wrong question. All organizations have a culture of security. The problem is that, in some organizations, the culture is unsupportive and ineffective.
But let’s back up and define our terms. What exactly is meant by a “culture” of security? ISACA, the professional society for IT auditors, information security professionals and others involved in IT risk management, has described it as “a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things” with regard to keeping information secure.
An information security culture cannot be divorced from company culture as a whole. Some companies have a wide risk appetite, and others are prudent to a fault. Some are collaborative, and others siloed. Some are sales-focused, and others are intent on customer service.
None of these is right or wrong. The point is that information security must fit within a company’s way of doing business.
Surmounting the Obstacles to Building a Security Culture
The ideal culture is one in which keeping information safe comes second nature for every manager and employee in the organization. The goal is to establish, alongside formal policies, positive unwritten norms shared by everyone.
Invariably, business leaders agree that such a culture is very useful. Yet most of them, when pressed, will acknowledge that their organizations are not quite there.
I most often see two obstacles getting in the way of building a culture of information security: perceptions and priorities.
The perception of security as a negative force — telling people what they cannot do rather than helping them to do what they want — is the greater of the two. We’ve all seen the popular imagery of IT security: locks, policemen, snarling dogs. I prefer images of keys, school crossing guards and collies.
Another obstacle is that the benefits of an effective information security culture, while real, are difficult to quantify. Senior leaders and middle managers tend to prioritize the things that they’re rewarded for achieving. Let’s face it: Few if any people get a raise and a promotion because they did not experience a security incident in the past year.
Yet we know that well-run companies are secure, and vice versa. When a business known to have solid management and execution capabilities gets hacked, the market tends to forgive. But there are examples of marketplace and regulatory penalties for those that appear to have experienced an attack because of loose security management.
Good Security Culture Starts with the Right Tone
What’s the difference between those well-run organizations and the rest? Tone at the top is always important, such as a senior executive who “gets it” and is willing to forcefully advocate for security at senior leadership meetings.
The frontline employees who actually use data every day generally follow the lead of their own supervisors. That’s why middle managers must not be given perverse incentives. A division director or department chief who hears “Yes, security is important, but …,” then is told to boost sales, cut costs or meet quotas, will see no benefit in promoting secure use of information. He or she will instead just see extra work without reward. I know business metrics are important, but how one makes money can be as crucial as how much money one makes.
Through the years, the imperatives for information security have become more apparent. Those who undermine information systems are no longer misguided teenagers but criminal gangs and hostile governments. The consequences of poor security are self-evident. What is somewhat less clear is the link between information security and corporate culture.
If there were ever a time to emphasize a culture of information security, this is it.