Tuesday, August 6, 2013

A Culture of Security - The Best Infection!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.

   One thing we can do is to simply our security problems, take a more risk-based approach (more on this another day) and do what makes sense.  I've written about these topics here and here.

   It's important to simply, but we must also make sure people know what to do.  That's where Security Awareness and Training come in.  These have been hot topics on the interwebs.

   I think it's critical to create a "culture of security" at your organization.  What I mean by that is that you work your program to the point that people not only understand how to protect information and your organization, but they become advocates and evangelists of your program.  People know what to do, look out for the protection of information, and spread the word for you.

   Easier said than done!  And this takes time.

   Here are my top 3 tips for creating a culture of security at your organization:
  1. Make your program relevant - Try to reach people through your awareness and training program.  Teach not only about how security works at the office, but cover home security topics.  When people understand more about the hows and whys of protecting their own data at home, they can relate those ideas to the office.
  2. Connect to the business - One size does not fit all.  I've talked before about learning about what your business does, choosing appropriate controls and processes, and tailoring these to your environment.  If you have done this, you can explain to people how security enhances the business.
  3. Remove controls that don't add value - Continuously re-evaluate your program.  Does it meet the business need?  Can you accomplish your goals and the goals of staff?  Do you have controls or processes in place that cause pain for staff but don't really add to your security posture?  If so, then find and destroy them!
   Does your organization have a culture of security?  What do you do to promote security?  What can you remove to promote security???

No comments:

Post a Comment