Given the cultural context in which the information security organization finds itself, the cultural realities of the situation are, to be honest, somewhat bleak.
• Information security is a new kid on the block. In most organizations the information security function is at most a few years old. The field itself dates only to 1970.
• Information security is nowhere near core to the organization. Even when there is a regulatory requirement for information security controls, these are ‘pushed’ by senior management only because they are legally required. Top level support for information security could dry up in an instant if the legal and regulatory landscape were to change.
• Even more challenging, the information security organization manages a set of concerns seemingly disconnected from those of the marketing, sales, operations, and financial organizations, with the result that the information security subculture is dramatically disconnected from these other, much more dominant, subcultures.
• Because “information security” contains the word “security,” the cultural expectation is that the information security group will take care of security just like the guards do, with no need for ‘me’ to get involved
• Except for the annual awareness training, the only time the information security culture “touches” the rest of the organization is when someone forgets his password or when the system won’t let someone “do her job.” Consequently, there are likely to be few ‘natural’ opportunities for cultural blending, with the result that the information security subculture will tend to evolve in isolation from the dominant culture.
It is against this backdrop that the information security organization must embed its culture into the culture of the larger organization, for this is the only way to transfer to the larger organization the correct way to perceive, think, and feel in relation to information security problems.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment