Information security - the art of keeping sensitive electronic assets under wraps - is as much of a mindset as it is a process. It is also as much of a requirement for your employees being on their toes and knowing what is expected of them as they are performing ongoing security assessments and audits. How does your organization stack up when it comes to taking information security seriously? Do you have a culture where information security and privacy are on the top of most people's minds in their day-to-day work, or is it another one of those roadblocks to a good bottom line?
From what I'm seeing in my work performing information security assessments and from what I'm hearing from my colleagues in the industry, managers believe that information security is good (or good enough) and everything is - by and large - under control. I hear "We just had a security audit and we've resolved all the issues," and "We take information privacy and security very seriously here," or "We trust our network users are doing the right thing to prevent information breaches."
However, when interviewing arbitrary employees during my security assessments, I ask how information security is perceived and how it is actually working within the organization. Needless to say, I'm seeing quite a different picture than what management often paints. I hear things like "Management says they take security seriously, but we're still having security incidents," and "They have a leadership committee that addresses security-related projects but nothing is really getting done," and even worse: "What's information security? Oh, it's that policy IT forces on us to have long passwords and never leave our laptops in the front seats of our cars."
The point is that the two sides - management and employees - view information security from two completely different perspectives: misperception and (somewhat) reality. It seems the larger the organization, the greater the divide.
If you are not in management, do you see your business leaders treating information security as a business problem, or are they burying their heads in the sand believing that information security is an operational issue that will never create any long-term business value? I see both, but quite often, information security gets the silent treatment - even with all of the so-called compliance initiatives that businesses are taking on. The thing is, it's easy to claim "compliance" with PCI DSS, HIPAA, HITECH and Sarbanes-Oxley, but where things stand in reality is often quite different.
The only thing that is going to keep this data breach trend we are experiencing from continuing is for management to change their perception of business risk and get others on board with their beliefs. This is going to require management to take their blinders off and come to terms with the fact that compliance and clean checklist audits do not equal security. All of this requires a shift in mindset and culture related to what is at risk and how business gets done.
Successful business people know that such culture changes are - for the most part - effected by the top-level leaders. That's why it is important for management to realize what information technology really is and what critical electronic assets really mean to the business. However, in many cases, it is a delusional assumption that management will all of a sudden embrace a strong security culture - so what's the next best thing? Get the ball rolling on your own. Believe it or not, you can effect change from the bottom up. If information security is in the best interest of your business, your customers and your career, you can get motivated enough to actually get the ear of management.