The effectiveness of an information security awareness program ultimately depends upon the behavior of people. Behavior, in turn, depends on what people know, how they feel, and what their instincts tell them to do. While a security awareness training program can impart information scurity knowledge it rarely has significant impact on people's feelings about their responsibility for securing information, or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of the people. It is the role of culture to close this gap.
It is the CISO's responsibility to provide the organizational leadership required to change how the organization perceives, thinks and feels in relation to information security problems, to embed the information security subculture into the dominant culture of the organization. Meeting this responsibility requires the CISO to evolve an information security learning organization to modify its behavior to reflect new information security knowledge and insights.
A HAPPY AND HEALTHY NEW YEAR TO ALL !!!!!!!!!!
Saturday, December 31, 2011
Wednesday, December 21, 2011
Ethical Persuasion: Changing Culture Means Building Relationships
Changing a culture requires changing people; changing how people perceive, think, and feel about information security problems. In effecting cultural change, the CISO must win everyone to the cause of information security. And to do that, as Lincoln reminds us, requires the CISO to be a sincere friend.
If the CISO is to change people, the CISO must engage in what is known as ethical persuasion, the honest attempt to induce people to change their behavior. To persuade ethically — to catch the heart which is the high road to reason — the mode of persuasion needs to be direct and honest, it needs to be respectful of people, and it must be without manipulation.
Recent work in the behavioral sciences has discovered six specific persuasion triggers that the CISO can use to influence the extent to which people will open themselves up to being persuaded.
• Reciprocity: People feel obliged to give to people who have given to them.
• Social Proof: People follow the lead of similar others.
• Authority: People defer to experts who provide shortcuts to decisions requiring specialized information.
• Consistency: People fulfill written, public and voluntary commitments.
• Scarcity: People value what’s scarce.
• Liking: People prefer to say “yes” to people they perceive like them.
It turns out that even more important than people liking us … is us liking them. People like, and are inclined to follow, leaders who they perceive as liking them. If people perceive the CISO likes them, they are more inclined to say yes to the CISO.
To influence people, win friends. An effective CISO will always be on the lookout for opportunities to establish goodwill and trustworthiness, to give praise, and to practice cooperation.
Thursday, December 15, 2011
Strategic Imperative: Evolve an Information Security Learning Organization
Real security lies not just in firewalls, passwords and awareness training but in the culture perceiving, thinking, and feeling correctly in relation to information security problems. This can only happen gradually, as the culture evolves an information security learning organization.
An information security learning organization is an organization skilled at creating, acquiring and transferring knowledge about information security, and at modifying its behavior to reflect new information security knowledge and insights.
In The Fifth Discipline, Peter Senge, one of the pioneers of learning organizations identified five key disciplines that are prerequisites to establishing a learning organization. These five disciplines are
Personal Mastery: We can only learn when we are unafraid. Consequently, the CISO has to create a trusting environment in which people are willing to open up to their information security inadequacies without fear of feeling stupid or otherwise inadequate.
Mental Models: This means providing people the intellectual tools needed to understand information security so that its principles come to be applied in every situation where people might put information at risk.
Shared Vision: The information security leader needs to connect information security to the very success or failure of the organization, helping people understand, for example, how an information breach could close the company and put people out of work.
Team Learning: Thus, the CISO must work with people so they come to train each other. A goal should be to make information security a common theme in discussions around the water cooler.
Systems Thinking: The CISO must understand the forces on the organization’s culture, the myriad of causes and effects that impact the culture’s evolution. To be effective, the change strategy, must amplify those cultural forces, like increased compliance and the organization’s need for information availability, that demand greater cultural change.
An information security learning organization is an organization skilled at creating, acquiring and transferring knowledge about information security, and at modifying its behavior to reflect new information security knowledge and insights.
In The Fifth Discipline, Peter Senge, one of the pioneers of learning organizations identified five key disciplines that are prerequisites to establishing a learning organization. These five disciplines are
Personal Mastery: We can only learn when we are unafraid. Consequently, the CISO has to create a trusting environment in which people are willing to open up to their information security inadequacies without fear of feeling stupid or otherwise inadequate.
Mental Models: This means providing people the intellectual tools needed to understand information security so that its principles come to be applied in every situation where people might put information at risk.
Shared Vision: The information security leader needs to connect information security to the very success or failure of the organization, helping people understand, for example, how an information breach could close the company and put people out of work.
Team Learning: Thus, the CISO must work with people so they come to train each other. A goal should be to make information security a common theme in discussions around the water cooler.
Systems Thinking: The CISO must understand the forces on the organization’s culture, the myriad of causes and effects that impact the culture’s evolution. To be effective, the change strategy, must amplify those cultural forces, like increased compliance and the organization’s need for information availability, that demand greater cultural change.
Wednesday, December 7, 2011
Leadership: The Force for Cultural Evolution
The challenge of leadership is to optimally affect the ongoing course of organizational evolution, to be the change agent directing this evolution. Culture and leadership are two sides of the same coin. If cultures become dysfunctional, it is the unique function of leadership to perceive the functional and dysfunctional elements of the existing culture and to manage cultural evolution and change in such a way that the group can survive in a changing environment.
Leadership … is the ability to step outside the culture …and to start evolutionary change processes that are …adaptive. This ability to perceive the limitations of one’s own culture and to develop the culture adaptively is the essence and ultimate challenge of leadership.
This aspect of leadership—to change the larger culture in the direction of information security— must be part of any CISO’s job description. Until and unless “the information security way of seeing the world” becomes a part of the organization’s culture, the organization is dysfunctional. Every time there is an information security breach whose root cause is human, that’s evidence of the dysfunctionality.
With this in mind, the CISO, must step outside the culture and look at it from the outside, molding and shaping its evolution, so that, over time, people are doing the right thing: they’re being careful, they’re paying attention, and they are even training each other—all because an information security mindset has become embedded in the larger culture.
Leadership … is the ability to step outside the culture …and to start evolutionary change processes that are …adaptive. This ability to perceive the limitations of one’s own culture and to develop the culture adaptively is the essence and ultimate challenge of leadership.
This aspect of leadership—to change the larger culture in the direction of information security— must be part of any CISO’s job description. Until and unless “the information security way of seeing the world” becomes a part of the organization’s culture, the organization is dysfunctional. Every time there is an information security breach whose root cause is human, that’s evidence of the dysfunctionality.
With this in mind, the CISO, must step outside the culture and look at it from the outside, molding and shaping its evolution, so that, over time, people are doing the right thing: they’re being careful, they’re paying attention, and they are even training each other—all because an information security mindset has become embedded in the larger culture.
Subscribe to:
Comments (Atom)