Security culture begins at the top
- — 02 February, 2012 11:03
What’s the most important factor of a successful security program? Technology such as endpoint protection? Making sure your change management processes and system development life cycle includes consideration of security risks? Strong policies? Not quite.
While all of these are important, a prerequisite - ensuring all these controls are accepted by employees and not bypassed (either intentionally or accidentally) - is a strong security culture. Building a strong security culture begins at the top of the organisation, right from the CEO and CIO level.
We’ve all seen the “people, process, technology” triangle, particularly for information security management. However, all too often, when considering security requirements and controls, there is more emphasis on processes and technology than on people. A poor security culture, training and attitude can easily undo any of your controls and create the weakest link for an organisation’s security.
It only takes one poor decision for someone to undo an organisation’s security controls, and the individual doing this can be anyone, from a high-level executive to a clerk. There have been stories over the years of incidents such as patient medical records being found on the street because it was carelessly thrown into the rubbish bin; or a file containing sensitive information being left in a public place. The consequences for either scenario can be severe, and while policies may exist prohibiting employees from doing either, there are no technical or process controls (other than physically checking every sheet of paper that leaves a building) to prevent these occurring.
Significant information security risk exists due to the accidental or deliberate actions (or inactions) of employees. Simple human error, ignorance and omission are the root of most data breaches and e-crimes. While most people will try to do the right thing, everyone makes mistakes or may be unaware that what they are doing is actually a risk to the organisation. How many stories have we heard about people sharing passwords because it’s the easy thing to do, or downloading free software from the Internet to get the job done?
Awareness and training goes a long way to educating employees on how to prevent risky activity. However, the priority employees give to security and whether or not they really pay attention to the awareness training is influenced by executives. If employees don’t see high-ranking managers making clear statements and demonstrating that security is a priority, they won’t treat it as a priority either.
How can a CEO or CIO demonstrate to employees that security should be a consideration in their daily activities? This can be achieved through range of means:
- a message during their security awareness training
- a brief mention in the employee welcome package
- a policy message posted clearly around the facilities alongside other organisational policies (such as its Safety or Equal Opportunity policies)
- including their name or position as a driver behind security initiatives to demonstrate that it is an important project, and improve the rate of its success.
ISO 27001, the Information Security Management System (ISMS) standard, includes as a certification requirement:
(section 5.1 d) “management shall provide evidence of... communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement”.
This requirement is based on the same belief that organisational culture is set from the top. Employees at the bottom of an organisational hierarchy will only view certain behaviours as a priority if it is presented and followed by executive management as a core cultural component.
This expectation also extends to senior and middle management, team leaders and supervisors - everyone should follow the same security practices and procedures. If a manager is seen as not taking a security policy or procedure seriously, or receiving “personal policy exemptions”, their employees won’t take those policies seriously either.
Leadership by example, and clear communications from the CEO, CIO and their managers about the importance of security is cruicial to ensuring the “people” part of the “People, Process, Technology” triangle does not become the weak link.
As security professionals, we are tasked with thinking about process and technology controls as part of our everyday management, project and operational roles. However, don’t forget about the people aspect, ensure this message is also communicated to the executives that everyone looks to for leadership. Only they can set the example for everyone else.