Security culture begins at the top

Building a strong security culture begins at the top of the organisation, right from the CEO and CIO level.

What’s the most important factor of a successful security program? Technology such as endpoint protection? Making sure your change management processes and system development life cycle includes consideration of security risks? Strong policies? Not quite.

While all of these are important, a prerequisite - ensuring all these controls are accepted by employees and not bypassed (either intentionally or accidentally) - is a strong security culture. Building a strong security culture begins at the top of the organisation, right from the CEO and CIO level.

We’ve all seen the “people, process, technology” triangle, particularly for information security management. However, all too often, when considering security requirements and controls, there is more emphasis on processes and technology than on people. A poor security culture, training and attitude can easily undo any of your controls and create the weakest link for an organisation’s security.

It only takes one poor decision for someone to undo an organisation’s security controls, and the individual doing this can be anyone, from a high-level executive to a clerk. There have been stories over the years of incidents such as patient medical records being found on the street because it was carelessly thrown into the rubbish bin; or a file containing sensitive information being left in a public place. The consequences for either scenario can be severe, and while policies may exist prohibiting employees from doing either, there are no technical or process controls (other than physically checking every sheet of paper that leaves a building) to prevent these occurring.

Significant information security risk exists due to the accidental or deliberate actions (or inactions) of employees. Simple human error, ignorance and omission are the root of most data breaches and e-crimes. While most people will try to do the right thing, everyone makes mistakes or may be unaware that what they are doing is actually a risk to the organisation. How many stories have we heard about people sharing passwords because it’s the easy thing to do, or downloading free software from the Internet to get the job done?

Awareness and training goes a long way to educating employees on how to prevent risky activity. However, the priority employees give to security and whether or not they really pay attention to the awareness training is influenced by executives. If employees don’t see high-ranking managers making clear statements and demonstrating that security is a priority, they won’t treat it as a priority either.

How can a CEO or CIO demonstrate to employees that security should be a consideration in their daily activities? This can be achieved through range of means:

  • a message during their security awareness training
  • a brief mention in the employee welcome package
  • a policy message posted clearly around the facilities alongside other organisational policies (such as its Safety or Equal Opportunity policies)
  • including their name or position as a driver behind security initiatives to demonstrate that it is an important project, and improve the rate of its success.

ISO 27001, the Information Security Management System (ISMS) standard, includes as a certification requirement:

(section 5.1 d) “management shall provide evidence of... communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement”.

This requirement is based on the same belief that organisational culture is set from the top. Employees at the bottom of an organisational hierarchy will only view certain behaviours as a priority if it is presented and followed by executive management as a core cultural component.

This expectation also extends to senior and middle management, team leaders and supervisors - everyone should follow the same security practices and procedures. If a manager is seen as not taking a security policy or procedure seriously, or receiving “personal policy exemptions”, their employees won’t take those policies seriously either.

Leadership by example, and clear communications from the CEO, CIO and their managers about the importance of security is cruicial to ensuring the “people” part of the “People, Process, Technology” triangle does not become the weak link.

As security professionals, we are tasked with thinking about process and technology controls as part of our everyday management, project and operational roles. However, don’t forget about the people aspect, ensure this message is also communicated to the executives that everyone looks to for leadership. Only they can set the example for everyone else.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

6 Comments

Spencer Wakelam

1

I have just completed a Masters dissertation based on 12 months' of research into this very subject which produced some interesting results.

While senior management may theoretically support security initiatives in the form of security policy sign-off, a lack of communication of that support to middle management, and inadequate visibility of active participation, will undermine its effect.

The research also suggested that middle management and peer group role modelling is even more influential than the example set by senior leaders when it comes to security policy compliance on the part of general employees.

Wayne Chung

2

Spencer, I agree with everything you said. Words have to be followed by actions, and leadership at lower levels also need to set an example for the company culture to respect security compliance.

Allen

3

The security providing people should have good security options ,to rescue many people under any emergency situations.

Haim

4

Spencer, this sounds like a very intresting dissertation topic. Please let me know where I can find more details about your study and where I can find the final document.

Thanks,

Haim

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Management Solutions

Endpoint Security Management

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.