An article by Wendy Goucher in the latest edition of the Computer Fraud & Security Journal entitled “Shooting the Messenger” caught my attention. It discusses organisational blame culture around reporting of information security incidents, Wendy states that “Current business culture is such that should any problem arise blame is apportioned so that the miscreant can be spoken to strongly by their line manager. If there is no obvious or clear person to blame then one must be found. ” This produces a challenge with regards to security because we want to encourage problems to be reported.
In fact, the scale of the problem increases when we have an organisation operating in different parts of the world. Encouraging issues to be reported is not something that’s warmly embraced where the regional culture is one of not wanting to be seen to be making mistakes and creating problems. My tact has been to challenge parts of the business to actively seek and explore issues and therefore demonstrate that they understand security and take it seriously. But I’ll admit that there’s no quick win and it’s hard work to start getting people to open up when, as Wendy says, reducing the blame reflex is not something that a manager or department can decide to do autonomously.
The article goes on to discuss the fact that the person who spots the problem and reports it is often not the person who caused it. But often they are going to be the one in the firing line. For example, a security guard who discovers a break-in might be asked why he didn’t verify that alarms were activated, a network analyst discovering an intrusion might be asked why he didn’t spot that a firewall port was open, and so on. Having a culture of blame within the organisation will be detrimental to incidents being reported and more likely to encourage cover-ups.
Wendy’s article closes by stating that there is some comfort in being able to point the finger of blame for a mistake at someone else…However, it does not help the person responsible for information security identify where the system is weakest and therefore prevent future such events from happening.
My fellow blogger David Lacey pointed out some time ago the growing importance of human factors in today’s security and IT problem space. This extends to much more than just security awareness but right through the organisation and the way that we deal with people when issues arise.