I’ve been surprised by the number of people who believe that the root cause of breaches such as the recent HMRC data breach is culture. In my view these incidents are the result of a failure of governance. Policies and standards don’t implement themselves. You have to communicate them clearly and check that they’re being followed. If not (which is a given) then you have to lobby firmly to persuade managers to allocate the time, resource and money to close the gaps.
There are many reasons, other than culture, why people don’t implement corporate policies. In practice it’s very rare to find an employee that has taken the trouble to read them. And even rarer to find one that understands them. Published policies and guidance rarely achieve more than 20% penetration without an aggressive implementation programme. And they will progressively slip in any organisation that doesn’t maintain an ongoing education programme and a six-monthly review of the actual practices inside the organisation.
Visibility, testing, monitoring and audit are vital inputs to all security functions. They tell you what’s really happening on the ground. And they’re straightforward processes, not difficult to implement. Corporate policy can be a powerful argument to persuade people to implement security. But if you don’t follow it up then it’s no more than a tick in the box for an Ivory Tower bureaucrat.