|
|
|
Community Publishing
|
|
How’s your security culture?
By Kevin Beaver, CISSP on Thursday, January 04, 2007
Information security is as much of a mindset as it is a process. It’s as much of a requirement for your employees and network users being on their toes and knowing what’s expected of them as it is to perform ongoing security testing and in-depth audits. How does your organization stack up when it comes to taking information security seriously? Do you have a culture where information security and privacy are on the top of most people’s minds in their day to day work or is it another one of those roadblocks to a good bottom line?
From what I’m seeing in my work performing information security assessments and from what I’m hearing from my colleagues in the industry, managers believe that information security is good (or good enough) and everything’s under control. I hear “We just had a security audit and everything turned out fine” and “We take information privacy and security very seriously here” and “We trust our employees and users on our network are doing the right thing to prevent information breaches.”
However, when interviewing random employees I ask how information security is perceived and is actually working within the organization, and I’m seeing quite a different picture. I hear things like “Management claims to take security seriously, but security incidents are still occurring” and “They have a leadership committee that addresses security but nothing is getting done” and “What’s information security? Oh, it’s that requirement for a long password I can never remember, isn’t it?”. The point is that the two sides - management and employees - view information security from two completely different perspectives: misperception and reality.
If you’re not in management, do you see your business leaders treating information security as a business problem or are they burying their heads in the sand believing that information security is an operational issue that will never create any long-term business value? I do see both but by and large information security is still getting the silent treatment. That helps explain the 97 million plus electronic records that have been compromised since the ChoicePoint breach a couple of years ago (www.privacyrights.org/ar/ChronDataBreaches.htm). That’s 97 million plus known records compromised in organizations around the U.S. - many of which you’d expect to have things pretty well under control.
The only thing that’s going to keep this data breach trend from staying the same or getting worse is for management to change their perception of business risk and get others on board with their beliefs. This is going to require management to take their blinders off and come to terms with the fact that information technology is more than just an operational cost center. It’s also going to require a shift in mindset and culture related to how business gets done.
Successful business people know that such culture changes and shifts in the way people work are - for the most part - effected by the leaders up top within the organization. That’s why it’s important for management to realize what information technology really is, what it really does, and what critical electronic assets really mean to the business. However, in many cases, it’s a delusional assumption that the embracing of a strong security culture will start at the top. So, what’s the next best thing? Get the ball rolling on your own! Believe it or not, you can effect change from the bottom up. If information security is in the best interests of your business, your customers, or even your career, you can get motivated enough to actually get the ear of management.
Selling others on a new topic will only occur if they have something to gain or something to lose. You’ll have to spell out the value of information security in business terms that managers can relate to. It’ll take some time and effort, but by talking about the issues the business is facing from an information risk perspective, demonstrating how compliance can be used in a positive way for competitive differentiation, and by getting the right people on your side, eventually the word will get out. It’ll then work its way around and eventually be pushed up to the level it needs to be for positive changes to occur and be supported long-term.
Managers: know that your employees are watching and can be influenced by your choices on how information risks are handled. You’ll never be able to convince everyone to do the right thing and you certainly won’t be able to control their actions. But if you make choices and set good examples with long time perspective, your leadership will shine through, you’ll start a culture shift, and you'll get the majority of your people on board doing what’s right. That sounds like a good long-term business goal.
Kevin Beaver, CISSP
Principle Logic, LLC
kbeaver@principlelogic.com
|
Page: 1 of 1
Previous Page | Next Page
| Comments |
Currently, there are no comments. Be the first to post one!
You must be logged in to post a comment. You can login here
|
|
|
|
|
|
|
Introduction
|
|
|
Sir Winston Churchill once said, "If you have knowledge, let others light their candles with it."
TechLINKS Community Publishers share their knowledge with the Georgia technology industry in order to help illuminate the many top-of-mind issues important to your business. Their community participation demonstrates the significant expertise and generosity contained within the Georgia technology industry.
Knowledge has no value when it is stored - it only has value when it is shared and applied. We know that businesses, educational institutions and government agencies sit upon rich veins of untapped information.
Community Publishing's mission is to tap into and release that knowledge to Georgia's technology community.
We encourage you to read the following articles on our website. To create and submit your own article and join this growing, distinguished group, click on "Create Article." |
|
|