Real security lies not just in firewalls, passwords and awareness training but in the culture perceiving, thinking, and feeling correctly in relation to information security problems. This can only happen gradually, as the culture evolves an information security learning organization.
An information security learning organization is an organization skilled at creating, acquiring and transferring knowledge about information security, and at modifying its behavior to reflect new information security knowledge and insights.
In The Fifth Discipline, Peter Senge, one of the pioneers of learning organizations identified five key disciplines that are prerequisites to establishing a learning organization. These five disciplines are
Personal Mastery: We can only learn when we are unafraid. Consequently, the CISO has to create a trusting environment in which people are willing to open up to their information security inadequacies without fear of feeling stupid or otherwise inadequate.
Mental Models: This means providing people the intellectual tools needed to understand information security so that its principles come to be applied in every situation where people might put information at risk.
Shared Vision: The information security leader needs to connect information security to the very success or failure of the organization, helping people understand, for example, how an information breach could close the company and put people out of work.
Team Learning: Thus, the CISO must work with people so they come to train each other. A goal should be to make information security a common theme in discussions around the water cooler.
Systems Thinking: The CISO must understand the forces on the organization’s culture, the myriad of causes and effects that impact the culture’s evolution. To be effective, the change strategy, must amplify those cultural forces, like increased compliance and the organization’s need for information availability, that demand greater cultural change.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment