Given the cultural context in which the information security organization finds itself, the cultural realities of the situation are, to be honest, somewhat bleak.
• Information security is a new kid on the block. In most organizations the information security function is at most a few years old. The field itself dates only to 1970.
• Information security is nowhere near core to the organization. Even when there is a regulatory requirement for information security controls, these are ‘pushed’ by senior management only because they are legally required. Top level support for information security could dry up in an instant if the legal and regulatory landscape were to change.
• Even more challenging, the information security organization manages a set of concerns seemingly disconnected from those of the marketing, sales, operations, and financial organizations, with the result that the information security subculture is dramatically disconnected from these other, much more dominant, subcultures.
• Because “information security” contains the word “security,” the cultural expectation is that the information security group will take care of security just like the guards do, with no need for ‘me’ to get involved
• Except for the annual awareness training, the only time the information security culture “touches” the rest of the organization is when someone forgets his password or when the system won’t let someone “do her job.” Consequently, there are likely to be few ‘natural’ opportunities for cultural blending, with the result that the information security subculture will tend to evolve in isolation from the dominant culture.
It is against this backdrop that the information security organization must embed its culture into the culture of the larger organization, for this is the only way to transfer to the larger organization the correct way to perceive, think, and feel in relation to information security problems.
Monday, November 28, 2011
Friday, November 18, 2011
Beyond Information Security Awareness Training: It’s Time to Change the Culture
The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. While an awareness training program can impart information security knowledge it rarely has significant impact on people’s feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
It’s the same issue every time an employee falls victim to social engineering. People’s instincts are to be helpful. We amplify this instinct every time we tell employees about the importance of customer service. And then we wonder why, in that moment of truth, after the social engineer has sounded so friendly and seemed so honest, that the employee disregards the awareness training program and gives up his password.
One sees this phenomenon every time an employee opens an unexpected email attachment from a friend. They may not really care about the potential that the attachment is a virus, or they may care, but their instincts are not finely enough honed to intuitively recognize the threat.
It’s the same issue every time an employee falls victim to social engineering. People’s instincts are to be helpful. We amplify this instinct every time we tell employees about the importance of customer service. And then we wonder why, in that moment of truth, after the social engineer has sounded so friendly and seemed so honest, that the employee disregards the awareness training program and gives up his password.
Subscribe to:
Comments (Atom)