Is security a "should" or a "must"

From the book “Zen and the Art of Information Security” by Ira Winkler.

When security is a should, people will tell you that security is secondary to business concerns. The security staff demonstrates a great deal of frustration. Employees have a casual attitude to security policies. I want to be clear about one thing, though. When security is a must, it does not mean that security is a priority over business concerns. When security is a must, security is integrated into business concerns. It is a business concern.

Fine words of wisdom but I wonder if it’s actually possible to really generalize in those terms when thinking about a large organisation. For instance, within my own, security is defintely a must from a senior management perspective, but elsewhere it’s more likely a reluctant “should.” There are many complex reasons why this is the case: the nature of the business and organisational culture play a large part. Staff turn-over rate and the types of jobs being performed are clearly another. The attitude to risk, and more often than not, the lack of awareness that there are risks is one further factor. I can find pockets within the organisation where security is working well and others where I’ll explain security policies and recommendations and the response will be one reason after another why they wont work.

I’ve often been heard to complain that we don’t direct security strongly enough – in other words rather than giving direct orders and instructions (“You MUST do this”), we say “please co-operate” or words to that effect and then expect things to fall into place. However, I now find myself unconvinced that taking the militaristic route is the right one. It may simply be more likely to get individuals nodding “yes” in agreement but then saying “no” once your back is turned. I try to take a reasoned middle ground: soliciting feedback and explaining the relevance of policy and risks that we are trying to mitigate.

This is exactly what I’ll be doing this week when I present to a group of senior managers from my organisation who are coming together for a meeting from various points of the globe. The group represents a wide range of cultures and a wide range of attitudes to security so the dynamics should be interesting. I’ll let you know how I get on.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It's a must. There are just some simple costs of being in business, and information security is one of them. This should be becoming even more so as we fully move into a knowledge based economy. How we go about making it a must is upto us and what will/will not work in the environments we find ourselves in. I have always found that understanding the oganisational dynamics and culture are the most important factor when trying to establish the security agenda. Alas, these softer elements of the 'business of security' are often under represented in the curriculum of specialist MSc or professional qualifications (if they can be taught at all or whether you only really learn through being in a live organisational environment in another matter).
Cancel

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close