Amidst corporate initiatives to improve profitability, cut costs, improve cash flow, and rationalize investments, C-suite executives still need to spend a chunk of management time on corporate governance. An important aspect of this is information security governance, since information security cuts across all organizational processes.
Key to the success for governing information security is proper, organization-wide awareness. One crucial point is that information security is not just IT security. Since all departments in an organization are affected, information security is everyone's concern. Start with the right security organization.
The security leader must have endorsement and support from the highest levels of management, no less than the CEO if possible. The CEO, as the executive sponsor of the CISO or CSO, demonstrates in no uncertain terms that information security initiatives are organization-wide. The security leader should be supported by a team of self-starters coming from all major departments within the organization.
This team acts as the security champions from the various groups and reinforces information security awareness at the department level. The security leader must communicate the right mindset in safeguarding an organization's information assets. They must articulate this message across a broad audience that may or may not be security-savvy.
Employees may view information security as a hindrance to the smooth performance of their daily duties. It is the job of the security leader to make them appreciate the value to the organization and to themselves of protecting information assets, and the consequences should these information assets be compromised.
The security leader should issue new policies or reminders to articulate the importance of compliance. While written messages are important, these are not effective when used alone. The security leader should make themselves available and visible.
They should tour the office premises from time to time to remind employees of information security policies or seek feedback on the company's security initiatives. One organization I know calls this initiative "One Minute for Information Security." From what I have seen, employees are willing to take even several minutes of their time to dialogue with the security leader.
Another useful tool to strengthen security communications is the use of security awareness seminars for all employees. Videos are an excellent tool to drive home the message. Also, flash videos upon network log-on have proven to be effective reminders. Strategic placement of posters carrying visuals on information security are also good communication channels. Employees especially like corporate giveaways such as pens or memo pads that have security-related reminders.
Regardless of the communications medium or the message, it is important to deliver it in bite-size chunks to avoid confusion and information overload.
Compliance is difficult to enforce, especially if security awareness is not yet mature. One way is to enforce security with penalties for non-compliance (i.e., the "stick" approach).
This has its good and bad points. The penalties can serve as a deterrent, but employees will tend to view information security as a series of don'ts with stiff consequences. Consequently, the right mindset may not be formed.
A simple system of rewards through positive enforcement (i.e., "carrot" approach) is certainly another way to enforce compliance. Let's take clear desk as an example. To encourage clear desks, those in charge of enforcing it can tour the office premises unannounced (e.g., during the lunch break), and place a small token or chocolate, plus a note of appreciation, on compliant desks. The owners of these desks will thus be encouraged to maintain clear desks.
Another approach to implement clear desk is to periodically publish pictures of both compliant and non-compliant desks. You may or may not identify the owners of these desks, depending on the culture in your organization. In this way, employees will get motivated to achieve clear desks themselves if they see that their colleagues and even bosses are doing so.
This leads us to the question of which approach is better: carrot or stick. We can use both, since one complements the other. You can start with the carrot at the early stages of security awareness. Once established, you can use the stick. However, for non-compliance that gives rise to unacceptable risks to the organization, we can use the stick at the outset.
Nothing will drive home the point better than having information security reminders and policies apply to all levels in the organization, from rank-and-file all the way to the CEO. If the security leader or any company executive is not complying with any of the policies, they should be prepared to rectify the situation or suffer the consequences, as prescribed by policy. All employees will thus realize that information security policies are applied fairly to everyone, and that the organization is serious about information security.
Information security awareness tends to be at its peak during periods of audit or certification/recertification (in the case of standards-based information security management systems). The security leader and their team should send clear messages that the security initiatives are not for the audit or certification alone, but should be normal practice at all times.
A good test if an organization has the right level of security awareness is the need for only occasional reminders from the security organization and the self-policing mindset that is adopted by everyone. If you pick any employee at random, from the rank-and-file up to the CEO, and ask what their role for information security is, they should be able to articulate right away how information security depends on them. In other words, the goal is to make information security second-nature to everyone.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment