In search of a new security culture

Regular visitors will have noticed that my postings have been a bit thin lately. It’s because I’ve been head-down completing a new book on “Managing the Human Factor in Information Security”, to be published by John Wiley in the New Year. As anyone who’s ever written a book will know, it’s a surprisingly tough task, about the equivalent of a hundred white papers, and all in a handful of months.

It’s also interesting how the real world tends to overtake your writing. The Cabinet Office has published a collection of papers on the state of information handling in Government and what they intend to do about it. My colleagues, Philip Virgo and Stuart King have already commented on them. The human factor and the need for a culture change figures quite high in these reports. So what do I think about the Government’s proposals? After all I’ve been thinking hard about this subject for most of this year.

I have to say that I think they’ve nailed the problem space, but they are a bit short of ideas on the solutions side. There is a widespread need for a major culture change. That’s clear. But it can’t be achieved by a training or communication programme, by decreeing a policy, by conducting impact assessments, or by simply making someone responsible.

Culture changes demand a whole lot more than that. Amongst other things they require very simple but subtle adjustments to governance, infrastructure, roles and other motivating factors. It’s a specialist job, not one for policy makers or generalist civil servants. I certainly hope the implementation across Whitehall and beyond takes account of that. Otherwise we’ll be conducting the same reviews a few years from now.