Changing Security Culture

The recently published Poynter report on the loss of HMRC discs containing personal details of 25 million citizens confirms what most of us already suspected. Security is not taken seriously enough across many public sector organisations. It’s a combination of a culture that has been allowed to grow up, as well as a failing in governance, i.e. a lack of strict targets and conformance audits to identify and correct failings.

Surprisingly there is no mention of the need for accredited certification, which is the only reliable fast-track means of enforcing security standards. The other much-needed solution is a sophisticated behaviour change programme. I say “sophisticated” to distinguish what’s needed from the run-of-the-mill, half-hearted security awareness campaigns that we often see mounted in large organisations. This problem needs more serious attention, a campaign more akin to the efforts made in the nineties to eradicate crime in New York City. 

How should we go about this? Well I’m afraid you’ll have to wait for my soon-to-be-published John Wiley book on managing the human factor in information security. I’m hoping it will be out early in the New Year. It will contain lots of theory, tips and practical methods for transforming security in organisations. Watch this space.