Understanding and transforming organizational security culture

Excerpt from an article: "Understanding and transforming organizational security culture"

Author: David Lacey (David Lacey Consulting Ltd, Guildford, UK)

Publication: Information Management & Computer Security, Vol. 18 No. 1, 2010, pp. 4-13

The BS7799 standard was a major breakthrough in its day, but it is a vehicle conceived more than 15 years ago, perhaps reflecting the nature of information security management for a process-driven business world. And that world is changing. BS7799, and its successor ISO27001, were designed primarily for a business environment in which repeatable processes dominated the value chain. Implementing security required controls to be embedded in business processes, procedures and infrastructure. In contrast, we now need an approach that matches a more dynamic business environment that is less constrained by repeatable processes. Implementing security now requires more attention to people, rather than processes or infrastructure.

This implies the need to develop a different approach to security management: one that caters for a real-time generation of users, operating in a nomadic, networked, and increasingly script-free, information society. Achieving this goal requires a progressive shift in emphasis from processes and procedures towards people, relationships and information flows. We need less focus on formal procedures and corporate dogma, and more on genuine engagement with people. This demands a two-way, emotional, communications process, and one that aims to harness the efforts of everyone in the corporation, including customers and business partners. We will need to exploit this collective vision and perception in order to understand the real causes of incidents and gain better visibility of events and their context.

Perhaps, the hardest of all issues to solve is the need better information systems that make allowances for human error in order to eliminate unnecessary mistakes, accidents and breaches. But good security design is expensive and time consuming to develop. It can only be achieved through a closer observation of human behaviour and greater engagement with users. We need to spend a greater deal of time learning to appreciate our users’ culture, requirements, likes, dislikes and expectations. We must also practice greater attention to detail when drawing up user specifications because, in practice, the difference between a design that works and one that fails is often no more than a small detail or two.

Achieving these goals requires us to re-think both the essence of security management and the nature of the knowledge, skills and organization demanded by this changing business environment. In a future world in which citizens are fully connected and services are delivered from within an internet “cloud”, the major thrust of security functions will not be to articulate legalistic policies and technical architecture, but to change the perception and behaviour of thousands of managers, staff and customers. Responding to this challenge demands a greater emphasis on the “softer” skills of psychology, education, marketing, communications and change management. Preparing for that change should be the major priority of information security training, education and business functions across the world.