Get with IT

Sept. 29, 2010
How's your security culture?

Information security - the art of keeping sensitive electronic assets under wraps - is as much of a mindset as it is a process. It is also as much of a requirement for your employees being on their toes and knowing what is expected of them as they are performing ongoing security assessments and audits. How does your organization stack up when it comes to taking information security seriously? Do you have a culture where information security and privacy are on the top of most people's minds in their day-to-day work, or is it another one of those roadblocks to a good bottom line?

From what I'm seeing in my work performing information security assessments and from what I'm hearing from my colleagues in the industry, managers believe that information security is good (or good enough) and everything is - by and large - under control. I hear "We just had a security audit and we've resolved all the issues," and "We take information privacy and security very seriously here," or "We trust our network users are doing the right thing to prevent information breaches."

However, when interviewing arbitrary employees during my security assessments, I ask how information security is perceived and how it is actually working within the organization. Needless to say, I'm seeing quite a different picture than what management often paints. I hear things like "Management says they take security seriously, but we're still having security incidents," and "They have a leadership committee that addresses security-related projects but nothing is really getting done," and even worse: "What's information security? Oh, it's that policy IT forces on us to have long passwords and never leave our laptops in the front seats of our cars."

The point is that the two sides - management and employees - view information security from two completely different perspectives: misperception and (somewhat) reality. It seems the larger the organization, the greater the divide.

If you are not in management, do you see your business leaders treating information security as a business problem, or are they burying their heads in the sand believing that information security is an operational issue that will never create any long-term business value? I see both, but quite often, information security gets the silent treatment - even with all of the so-called compliance initiatives that businesses are taking on. The thing is, it's easy to claim "compliance" with PCI DSS, HIPAA, HITECH and Sarbanes-Oxley, but where things stand in reality is often quite different.

The only thing that is going to keep this data breach trend we are experiencing from continuing is for management to change their perception of business risk and get others on board with their beliefs. This is going to require management to take their blinders off and come to terms with the fact that compliance and clean checklist audits do not equal security. All of this requires a shift in mindset and culture related to what is at risk and how business gets done.

Successful business people know that such culture changes are - for the most part - effected by the top-level leaders. That's why it is important for management to realize what information technology really is and what critical electronic assets really mean to the business. However, in many cases, it is a delusional assumption that management will all of a sudden embrace a strong security culture - so what's the next best thing? Get the ball rolling on your own. Believe it or not, you can effect change from the bottom up. If information security is in the best interest of your business, your customers and your career, you can get motivated enough to actually get the ear of management.

Selling others on a new topic will only occur if they have something to gain or something to lose. You will have to spell out the value of information security in business terms that managers can relate to. It will take some time and effort, but by talking about the issues the business is facing from a business risk perspective, demonstrating how things like compliance can be used in positive ways for competitive differentiation, and by getting the right people on your side, eventually the word will get out. It will then work its way around and eventually be pushed up to the level it needs to be for positive changes to occur.

Managers: know that your employees are watching and can be influenced by your choices on how information risks are handled. You will never be able to convince everyone to do the right thing and you certainly won't be able to control their actions all the time. But if you make choices and set good examples with long-term perspective, your leadership will shine through, you will start a culture shift and get the majority of your people on board doing what's right. Sounds like a good long-term business plan to me.
Kevin Beaver is an independent information security consultant, author, professional speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments in support of risk management and compliance. He has authored/co-authored eight books on information security including the new "Hacking for Dummies, 3rd edition" and the forthcoming second edition of "The Practical Guide to HIPAA Privacy and Security Compliance." He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin and link to his blog and Twitter account through his Website,