Is security a "should" or a "must"

From the book “Zen and the Art of Information Security” by Ira Winkler.

When security is a should, people will tell you that security is secondary to business concerns. The security staff demonstrates a great deal of frustration. Employees have a casual attitude to security policies. I want to be clear about one thing, though. When security is a must, it does not mean that security is a priority over business concerns. When security is a must, security is integrated into business concerns. It is a business concern.

Fine words of wisdom but I wonder if it’s actually possible to really generalize in those terms when thinking about a large organisation. For instance, within my own, security is defintely a must from a senior management perspective, but elsewhere it’s more likely a reluctant “should.” There are many complex reasons why this is the case: the nature of the business and organisational culture play a large part. Staff turn-over rate and the types of jobs being performed are clearly another. The attitude to risk, and more often than not, the lack of awareness that there are risks is one further factor. I can find pockets within the organisation where security is working well and others where I’ll explain security policies and recommendations and the response will be one reason after another why they wont work.

I’ve often been heard to complain that we don’t direct security strongly enough – in other words rather than giving direct orders and instructions (“You MUST do this”), we say “please co-operate” or words to that effect and then expect things to fall into place. However, I now find myself unconvinced that taking the militaristic route is the right one. It may simply be more likely to get individuals nodding “yes” in agreement but then saying “no” once your back is turned. I try to take a reasoned middle ground: soliciting feedback and explaining the relevance of policy and risks that we are trying to mitigate.

This is exactly what I’ll be doing this week when I present to a group of senior managers from my organisation who are coming together for a meeting from various points of the globe. The group represents a wide range of cultures and a wide range of attitudes to security so the dynamics should be interesting. I’ll let you know how I get on.