Building a Security Culture From the Top Down, article for ExaProtect Newsletter, Aug 2007

Building a Security Culture From the Top Down

Within most organizations, employees fall into two distinct tribes. On the one side there are the information technologists; on the other, the business users and managers.

Each tribe views the other with considerable distrust and exasperation. Technologists cannot understand the complacency with which business users view the internal and external threats to the organization. Meanwhile, the business users feel the technologists are intent on obstructing them in their work.

This chasm, which is costly and counter-productive, often reflects a long-term failure by the board to exert proper governance over technology. When the board demonstrates a proper understanding and control over information assets, it becomes far easier for all staff to accept the linked concepts that information must be confidential, that its integrity must be assured, and that it must be available to those authorized to access it, as and when they need it.

Far too few boards exhibit the necessary awareness of information security. Information is the life-blood of the modern business. About 90% of businesses send e-mail across the Internet, browse the web and have a website; and 87% of them now identify themselves as 'highly dependent' on electronic information and the systems that process it. Information and information systems are at the heart of any organization operating in the modern world.

The business environment has always been full of threats, from employees and competitors through to criminals and spies. Today, the proliferation of increasingly complex, sophisticated and global threats to corporate information and its systems, together with the compliance requirements of a flood of computer- and privacy-related regulation, is forcing organizations to take a more joined-up view of information security. Hardware-, software- and vendor-driven solutions to individual information security challenges no longer cut the mustard. On their own, in fact, they are dangerously
inadequate.

But, as boards need to recognize, computer security technology by itself does not protect information. On its own, it just wastes money, gives a false sense of security and decreases business efficiency. What is needed is a structured method for identifying the real information risks faced, their financial impact, and appropriate methods of mitigating them. Securing information requires an approach that is as much about process and individual behavior as it is about technological defences.

Of course, no organization has either the time or the resources to work out, on its own and from first principles, how to do this effectively. Apart from anything else, the time and error profile is likely to be unattractive.

Happily, no organization needs to. In ISO27001 there is an off-the-shelf, best practice standard that enables an organization to establish an information security management system that matches its business needs, preserve its assets, protect its directors and improves its competitiveness.

This is a boardroom issue and a significant help to directors seeking to meet their governance obligations. Using the standard, which has already been adopted by over 3,000 organizations globally, it becomes possible to drive security consciousness and practice throughout the business. By taking this initiative, boards will not only be able to sleep better at night, but will also take a major step towards healing the rift between technologists and users that hinders organizational performance.

Alan Calder is chief executive of IT Governance (http://www.itgovernance.co.uk), the world's most comprehensive publisher and distributor of books, tools, information and advice on ISO27001, governance, risk and compliance.