Strategy clinic: How can we spread the security message?

We are keen to develop a 'security culture' among company staff but are not convinced the e-mails we send around are taken notice of.


The question

We in the IT department are confident we have sufficient technology-based defences in our network and are keen to develop a 'security culture' among company staff. The workforce is spread across several locations in the UK and abroad. We have sent out e-mails about the various threats but are not convinced these are taken notice of. How can we get our message across most effectively?

The solution

The example of top management is crucial

Raising awareness of business and information security issues should be treated as ongoing processes, not as a project. It should start at the top with the CEO and it should be visible in all leadership positions that they as individuals take it seriously. Their example is critical to changing the culture of the organisation.

Continuous sensitisation of all employees, making some more aware of their duties and responsibilities, and educating and training a few who are in critical roles (in IS, security and elsewhere) allows a structured and cost-effective approach to be maintained.

Allowing for cultural differences across the world is also very important. Some cultures are rule-driven, some compliance-driven and some more strongly affected by culture.

Adapting a common message to a communications method that is locally appropriate is critical to achieving a coherent but not identical approach to security on a global basis.

Reinforcement of this approach by the use of policies and procedures, probably based on BS7799 or its international equivalent, will help considerably in ensuring that all staff use a common approach to the management of security.

Overarching business risk management should be held at board level, and the consequences of new approaches to risk governance delegated into business units integrating them into local risk-management practices as appropriate.

Feedback on success will come from statistics on numbers of incidents, recovery from ones that do occur, and examination through staff appraisals of awareness of security as a systemic issue.

Brian Collins, head of IS department, Cranfield University


Integrate security matters within a wider framework

This type of issue cannot be driven solely by the IT department. You need the support of the senior management to assist you in getting the message through. E-mails from the IT department will be ignored.

Successful development of a 'security culture' is achieved through integration of security matters within a wider information management framework. BS7799 is by far the most appropriate model to adopt, and it also gives your company the option of going for formal certification.

The key to an information management strategy is that it covers all areas, including risk assessment, security controls and measures, and user training and awareness. It impacts on all business departments and functions, linking them together by the overarching security framework.

Unfortunately, in many organisations, security is driven by the IT department who do it on a best-endeavours approach, based on what they feel is relevant. The problem with this approach is that it is disjointed, has very poor governance, with the key decisions on business risk being neglected by senior management. Security also becomes perceived as a purely technical issue and many organisations overlook the physical and the need for integrated processes.

There is a clear need to turn your attention to the business, for instance do you have a person responsible for information security? Is there a reporting procedure and is security an agenda item at board meetings? If so, use these routes to progress your initiatives. If these routes are not in place, you need to go up the organisation to sell your message and ideas, make sure you use the correct language, ie frame your case around business risk, governance and any regulations that are a must for your sector.

Roger Rawlinson, NCC Group


The first step is to engage the top management team

Raising the profile of information security is a common challenge for IT departments. You have correctly identified that once the technology is in place, the biggest potential weakness is the internal security culture. Most people are not fully committed to backing up their personal files until they have suffered a loss of data.

Your approach to this issue should be influenced by the relative importance of data and the overall culture in the organisation. The first step, which you may have implemented, is to engage the top management team in defining and communicating an information security policy. Given the high profile of security, this should not be too difficult, although expecting security to be a regular item on the board agenda may be optimistic unless you are in a very sensitive data environment.

If data is critical and your company culture respects discipline, the top-down management approach may be all you need. More likely, you will need to continue and enhance the education. It can sometimes be hard to communicate a policy message in writing. An alternative is to do this in person, perhaps by obtaining invites to local management meetings. It is advisable to keep the messages simple and practical, perhaps supported by short case studies that illustrate the rationale for the security policy and culture. In summary, as with many other areas, top management support and effective communication are critical success factors.

Sharm Manwani, Henley Management College


Messages need to have some personal meaning

Developing and maintaining a 'security culture' needs to be approached as an ongoing initiative. Having started your campaign, you now have an opportunity to evaluate why the message may not have been accepted and therefore how you may adjust future communication and activities.

Consider where the message is coming from. In the case of the e-mail, if it is being sent out from a helpdesk or an unknown individual in IT, it is far less likely to be actioned than a communication from the chief executive or another senior individual. Establishing and demonstrating commitment from "the top" is crucial if culture is to be changed or developed. Following up initial messages with more specific communication, for example around specific responsibilities, from departmental managers will help continue to embed the message.

Take a step back and evaluate the message being delivered. To be effective, messages related to security culture need to have some personal meaning where the cost of non-compliance either for the individual or the organisation is well understood. Being told to change passwords regularly because that is company policy is unlikely to be as effective.

Lastly, consider the effectiveness of the delivery mechanism. Different organisations respond to different techniques. Some find mass e-mails effective while others find poster campaigns, competitions or other incentives to be more effective. In most cases, one method will lose its effectiveness over time. Using a combination of methods and ensuring you continue your communication will be invaluable to establishing the initial awareness and, more importantly, maintaining an effective security culture.

Ken Allen, Ernst & Young

Read more on IT risk management