The question
We in the IT department are confident we have sufficient
technology-based defences in our network and are keen to develop a
'security culture' among company staff. The workforce is spread
across several locations in the UK and abroad. We have sent out
e-mails about the various threats but are not convinced these are
taken notice of. How can we get our message across most
effectively?
The solution
The example of top management is crucial
Raising awareness of business and information security issues
should be treated as ongoing processes, not as a project. It should
start at the top with the CEO and it should be visible in all
leadership positions that they as individuals take it seriously.
Their example is critical to changing the culture of the
organisation.
Continuous sensitisation of all employees, making some more
aware of their duties and responsibilities, and educating and
training a few who are in critical roles (in IS, security and
elsewhere) allows a structured and cost-effective approach to be
maintained.
Allowing for cultural differences across the world is also very
important. Some cultures are rule-driven, some compliance-driven
and some more strongly affected by culture.
Adapting a common message to a communications method that is
locally appropriate is critical to achieving a coherent but not
identical approach to security on a global basis.
Reinforcement of this approach by the use of policies and
procedures, probably based on BS7799 or its international
equivalent, will help considerably in ensuring that all staff use a
common approach to the management of security.
Overarching business risk management should be held at board
level, and the consequences of new approaches to risk governance
delegated into business units integrating them into local
risk-management practices as appropriate.
Feedback on success will come from statistics on numbers of
incidents, recovery from ones that do occur, and examination
through staff appraisals of awareness of security as a systemic
issue.
Brian Collins, head of IS department, Cranfield
University
Integrate security matters within a wider
framework
This type of issue cannot be driven solely by the IT department.
You need the support of the senior management to assist you in
getting the message through. E-mails from the IT department will be
ignored.
Successful development of a 'security culture' is achieved
through integration of security matters within a wider information
management framework. BS7799 is by far the most appropriate model
to adopt, and it also gives your company the option of going for
formal certification.
The key to an information management strategy is that it covers
all areas, including risk assessment, security controls and
measures, and user training and awareness. It impacts on all
business departments and functions, linking them together by the
overarching security framework.
Unfortunately, in many organisations, security is driven by the
IT department who do it on a best-endeavours approach, based on
what they feel is relevant. The problem with this approach is that
it is disjointed, has very poor governance, with the key decisions
on business risk being neglected by senior management. Security
also becomes perceived as a purely technical issue and many
organisations overlook the physical and the need for integrated
processes.
There is a clear need to turn your attention to the business,
for instance do you have a person responsible for information
security? Is there a reporting procedure and is security an agenda
item at board meetings? If so, use these routes to progress your
initiatives. If these routes are not in place, you need to go up
the organisation to sell your message and ideas, make sure you use
the correct language, ie frame your case around business risk,
governance and any regulations that are a must for your sector.
Roger Rawlinson, NCC Group
The first step is to engage the top management
team
Raising the profile of information security is a common
challenge for IT departments. You have correctly identified that
once the technology is in place, the biggest potential weakness is
the internal security culture. Most people are not fully committed
to backing up their personal files until they have suffered a loss
of data.
Your approach to this issue should be influenced by the relative
importance of data and the overall culture in the organisation. The
first step, which you may have implemented, is to engage the top
management team in defining and communicating an information
security policy. Given the high profile of security, this should
not be too difficult, although expecting security to be a regular
item on the board agenda may be optimistic unless you are in a very
sensitive data environment.
If data is critical and your company culture respects
discipline, the top-down management approach may be all you need.
More likely, you will need to continue and enhance the education.
It can sometimes be hard to communicate a policy message in
writing. An alternative is to do this in person, perhaps by
obtaining invites to local management meetings. It is advisable to
keep the messages simple and practical, perhaps supported by short
case studies that illustrate the rationale for the security policy
and culture. In summary, as with many other areas, top management
support and effective communication are critical success
factors.
Sharm Manwani, Henley Management College
Messages need to have some personal meaning
Developing and maintaining a 'security culture' needs to be
approached as an ongoing initiative. Having started your campaign,
you now have an opportunity to evaluate why the message may not
have been accepted and therefore how you may adjust future
communication and activities.
Consider where the message is coming from. In the case of the
e-mail, if it is being sent out from a helpdesk or an unknown
individual in IT, it is far less likely to be actioned than a
communication from the chief executive or another senior
individual. Establishing and demonstrating commitment from "the
top" is crucial if culture is to be changed or developed. Following
up initial messages with more specific communication, for example
around specific responsibilities, from departmental managers will
help continue to embed the message.
Take a step back and evaluate the message being delivered. To be
effective, messages related to security culture need to have some
personal meaning where the cost of non-compliance either for the
individual or the organisation is well understood. Being told to
change passwords regularly because that is company policy is
unlikely to be as effective.
Lastly, consider the effectiveness of the delivery mechanism.
Different organisations respond to different techniques. Some find
mass e-mails effective while others find poster campaigns,
competitions or other incentives to be more effective. In most
cases, one method will lose its effectiveness over time. Using a
combination of methods and ensuring you continue your communication
will be invaluable to establishing the initial awareness and, more
importantly, maintaining an effective security culture.
Ken Allen, Ernst & Young