290 likes | 549 Views
Session Goals. Consider the current problems information security professionals face in regards to organizational cultureEvaluate traditional approaches used to address these problemsIntroduce systemic thinking as a better way of thinking about information protection solutionsDiscuss how cultu
E N D
1. BMIS: Creating an Intentional CultureVernon Poole – Sapphire
2. Session Goals Consider the current problems information security professionals face in regards to organizational culture
Evaluate traditional approaches used to address these problems
Introduce systemic thinking as a better way of thinking about information protection solutions
Discuss how culture impacts the security program
Have a mutually beneficial exchange of ideas
3. Business Model for Information Security Objective
Briefly introduce the model and the dynamic interconnections.
Explain that the model is flexible and that it may not look like this when beginning a program but the goal is balance and equilibrium.Objective
Briefly introduce the model and the dynamic interconnections.
Explain that the model is flexible and that it may not look like this when beginning a program but the goal is balance and equilibrium.
4. Challenges Internal information security breaches continue to increase
Many problems appear not to have been solved even though information security awareness programs have become common
Humans often tend to be the greatest threat to information security
People
Avoid controls
Lose mobile equipment
Are unaware of how to properly handle information assets
Objective – Highlight Challenges
Common challenges are that:
Past experiences are not retained so organizations do not learn from previous incidents.
Information Security is a relatively young profession so there is a lack of research and information available to information security managers to use in decision making.
Information Security professionals have often come from IT where they did not have the opportunity to learn business skills. It is therefore necessary for information security professionals to learn about the enterprise so that they can align the security program with enterprise objectives.Objective – Highlight Challenges
Common challenges are that:
Past experiences are not retained so organizations do not learn from previous incidents.
Information Security is a relatively young profession so there is a lack of research and information available to information security managers to use in decision making.
Information Security professionals have often come from IT where they did not have the opportunity to learn business skills. It is therefore necessary for information security professionals to learn about the enterprise so that they can align the security program with enterprise objectives.
5. Culture & Its Impact There are many definitions available for culture but according to Systemic Security Management (SSM) culture can be defined as the patterns of behaviors, beliefs, assumptions, attitudes and norms.
It is the ‘how stuff gets done’ of organizations
Security must be worked into the corporate culture. Studies show that up to 80% of productivity problems can be related to flaws in the system that manifest in the culture such as
Alignment problems (conflicting goals)
Attitude issues (burn out, complacency)
Decision making (lack of a leader, too cumbersome)
Influence issues (difficulty getting buy-in)
Innovation and creativity (personnel and productivity It is important that people do not underestimate the importance of culture. Culture definitions should not be limited to what the top executive pushes down (although that is a component) or to rules, but rather patterns of behaviors, things people assume and the beliefs that exist throughout the organization.
If the rules say that everyone must attend security awareness training online but no managers ask their employees to do so, or ask them in a way that deemphasizes the importance of the effort than people may belief that security is not something they need to worry about.
The how stuff gets done is interesting. Take for example, the procedures in place for password resets…they are no good if everyone knows the real w to get it done quickly is to go ask Joe in IT to do it right away. Once people tell thins to new employees and the behaviors are transferred they become a norm…it then becomes the unofficial procedure.It is important that people do not underestimate the importance of culture. Culture definitions should not be limited to what the top executive pushes down (although that is a component) or to rules, but rather patterns of behaviors, things people assume and the beliefs that exist throughout the organization.
If the rules say that everyone must attend security awareness training online but no managers ask their employees to do so, or ask them in a way that deemphasizes the importance of the effort than people may belief that security is not something they need to worry about.
The how stuff gets done is interesting. Take for example, the procedures in place for password resets…they are no good if everyone knows the real w to get it done quickly is to go ask Joe in IT to do it right away. Once people tell thins to new employees and the behaviors are transferred they become a norm…it then becomes the unofficial procedure.
6. Aspects of Culture What aspects of culture effect the overall organizational culture ?
External Issues (Ethnic; Religious; Socio-economic; Geographical)
Internal Issues (Incidents; Organizational tone; Priorities)
Additionally, many factors effect culture that are often forgotten such as age, gender, sexual orientation and personal beliefs
Culture is important to the security program - it can either hinder or propel change
Shown to be deterministic of what information individuals take in and what facts are acted on.
Individuals bring their beliefs & perceptions to work, which may effect their behavior.
The pattern of behaviors is what makes up the organizational culture
Sub cultures also need to be addressed – some may classify these as the way things get done
7. Culture & Its Business Impact Organisations need to consider how culture impacts business and how to account for that. Creating a culture that operates effectively with security entwined into daily processes, beliefs and behaviors is critical
While an overall organizational culture exists it is important to note that cultures may also differ between business units this may be the result of awards systems. Using sales as an example they are often motivated to produce as their income depends on it.
This security culture creates a supporting environment for implementing data and network security practices.
8. Cultural Research SSM research identifies 6 aspects of culture that are of particular importance to information security issues:
Rules and Norms
Tolerance for ambiguity
Power Distance
The Politeness Factor
Context
Collectivist vs. Individualist
9. 1. Rules & Norms Rules can be written or unwritten
Norms can be described as deeply held assumptions that manifest as repetitive behaviors and are enshrined in organizational culture
People within the system observe other’s behaviors who are seen as successful and often repeat those attitudes and behaviors – this creates a norm
These can be detrimental or helpful to security depending on the behavior
10. 2. Tolerance for Ambiguity “refers to the ability to react to new, different, and at times unpredictable situations with little visible discomfort or irritation.” Harris & Moron, 1993
Norms must be able to be flexible, resilient and adaptable
Where tolerance is too high it may cause mistakes or oversights while too where tolerance is too low it may cause a system to be too rigid and will therefore disallow change.
Finding a balance is important
11. 3. Power Distance Refers not only to the organization chart but to informal beliefs and norms
High Power Differential – organization with clear differentiation between individuals, authorities and roles
Low Power Differential – organization where reporting structures are blurry and everyone is perceived as equal
The type of power distance will effect information flow as well as roles and responsibilities
12. 4. The Politeness Norm Seen in High Power Differential organizations and is effected greatly by geography
People may see security problems but do not acknowledge them as it may put a person in a position of authority in an awkward situation where they have to save face.
The politeness norm is not limited to being polite. Individuals may be afraid to say something when they notice a problem if they are afraid of repercussions. This is clear in the example of Korean Airlines having seventeen times more plane crashes than any American air carrier between 1988 and 1998 – this has been attributed to cultural issues where in Korea High Powered Differential Index is so high that a subordinate first officer would never tell a captain that something was wrong. The captains were in charge and did not take direction from someone lower on the chain of command – subordinates knew this and remained quiet even in the face of disaster – the airline suffered tremendously in relation to its reputation, safety ratings and customer loyalty. A cultural change was needed and an American, David Greenberg, was brought in to revamp the enterprise – he brought with him Alteon - a subsidiary of Boeing to reinvent training programs, insisted on English being the language of Korean Airlines – so pilots could communicate with Air Traffic Control ...as a result of the fundamental changes in the organizations DNA Korean Airlines completely reinvented itself, brought its safety rating back up and received an award for its transformation. (Gladwell, 2008)The politeness norm is not limited to being polite. Individuals may be afraid to say something when they notice a problem if they are afraid of repercussions. This is clear in the example of Korean Airlines having seventeen times more plane crashes than any American air carrier between 1988 and 1998 – this has been attributed to cultural issues where in Korea High Powered Differential Index is so high that a subordinate first officer would never tell a captain that something was wrong. The captains were in charge and did not take direction from someone lower on the chain of command – subordinates knew this and remained quiet even in the face of disaster – the airline suffered tremendously in relation to its reputation, safety ratings and customer loyalty. A cultural change was needed and an American, David Greenberg, was brought in to revamp the enterprise – he brought with him Alteon - a subsidiary of Boeing to reinvent training programs, insisted on English being the language of Korean Airlines – so pilots could communicate with Air Traffic Control ...as a result of the fundamental changes in the organizations DNA Korean Airlines completely reinvented itself, brought its safety rating back up and received an award for its transformation. (Gladwell, 2008)
13. 5. Context Need or lack of need of shared backgrounds - High context cultures depend on shared experiences & are usually more homogenous; Low context cultures are more individualistic & heterogeneous - Culture changes must begin as low context
Individuals are brought into groups such as security steering committees
You can begin to strive towards becoming high context & more homogenous
This can be done by sharing experiences and information
This can increase collaboration & trust but takes a long time to establish
High Context Cultures - depend on shared experiences to have meaning & require fewer words because people “know”
Low Context Cultures - do not depend on shared experiences; require more words to have meaning; increased complexity as information handling needs are increased; have more documentation
14. 6. Collectivist v Individualist We vs. Me
Many organisations trying to get to WE perspective – this is difficult in a weak economy with a high unemployment rate as people may tend to look out for themselves
What’s best for the organisation is important for security culture – if people have loyalty to the organisation they are more likely to handle information in a secure manner.
Well established and well communicated strategy and goals can help organizations get to the WE perspective
Organisations need to have security engrained so deeply into their DNA that people do not have to think about doing something securely – they just do
15. Culture & the System The organizational culture effects the entire corporate system.
Being prepared to deal with change is essential.
Some types of cultures are more open to dealing with change than others.
Organizations that have a hierarchical or high power distance culture are often more rigid than egalitarian or low power distance cultures
16. BMIS : Social Network example Used primarily by younger population
Is it accepted by others in the organisation
How is security included into technical solutions
Social network tools affect the organisation in many ways
Culture
Governing
Enabling and Support
Emergence
Architecture
Process Generation Y is becoming a population of its own in enterprises. They bring with them vast knowledge in technology as they have been raised as ‘digital natives’ and they also bring with them a set of expectations. In many organizations use of the internet, texting, and social network sites has been prohibited however this attitude is changing and companies are realizing that to gain maximum productivity from these employees they need to make some accommodations. In order to attract and retain employees in this generation many organizations are embracing the web 2.0 services and not only allowing employees to utilize these sites but also creating facebook, linkedin, myspace and twitter pages for the organization. The use of services such as these has enterprise wide implications, both positive and negative. There are governance issues such as policies and standards that need development, the technology, architecture and infrastructure are all impacted and as a result of traffic, provisioning and bandwidth requirements may need to be adjusted. There are also issues that will happen without advance notice – this falls into the emergence category. The issues that emerge could be good such as increased collaboration and productivity but could also be negative such and risks need to be managed. Social network and web 2.0 technologies provide a good example of how a change in employee age has impacted the way business is done. As we can see this appears to be an issue that effects culture but has reaches into every branch in BMIS.
*If social network tools are not being accepted in your region please discuss how the unacceptance is affecting the organizational culture.Generation Y is becoming a population of its own in enterprises. They bring with them vast knowledge in technology as they have been raised as ‘digital natives’ and they also bring with them a set of expectations. In many organizations use of the internet, texting, and social network sites has been prohibited however this attitude is changing and companies are realizing that to gain maximum productivity from these employees they need to make some accommodations. In order to attract and retain employees in this generation many organizations are embracing the web 2.0 services and not only allowing employees to utilize these sites but also creating facebook, linkedin, myspace and twitter pages for the organization. The use of services such as these has enterprise wide implications, both positive and negative. There are governance issues such as policies and standards that need development, the technology, architecture and infrastructure are all impacted and as a result of traffic, provisioning and bandwidth requirements may need to be adjusted. There are also issues that will happen without advance notice – this falls into the emergence category. The issues that emerge could be good such as increased collaboration and productivity but could also be negative such and risks need to be managed. Social network and web 2.0 technologies provide a good example of how a change in employee age has impacted the way business is done. As we can see this appears to be an issue that effects culture but has reaches into every branch in BMIS.
*If social network tools are not being accepted in your region please discuss how the unacceptance is affecting the organizational culture.
17. BMIS : Social Network example BMIS provides a way for the security manager to look at all the areas that may be impacted either by the issue itself, or by an attempt to control it
Allowing for flexibility the model can accommodate all of the process, technology, policy and educational needs a security manager would face when making accommodations for something such as social networking
The systems thinking concepts such as feedback and delay would also enable the manager anticipate how changes will affect the organization as a system.
18. The Security Culture It is imperative that security become a core value that is enshrined in the organizational culture
People need to be thinking about security
People need to be aware of how to protect information assets
People need to think about what is best for the enterprise and its customers
One more important aspect of culture is perception. If management claims to commit but does not adjust its pattern of behaviors employees will know that they don’t have to change their behaviors. This has adverse effect on process, governance, emergence and technology.
19. The Security Culture A culture that is cognizant of information security issues would have the people, the security program and the organization aligned.
Policies, Standards and procedures well defined and well communicated (and enforced)
Strong support from executive management
Continual awareness and training programs
People that understand that security is a priority and practice good habits with regard to information handling
20. The Security Culture The Intentional Security Culture
Kiely (2006) suggests creating an intentional security culture
Culture must include above mentioned aspects but really needs to integrate security into the DNA of the organizational culture
Whether the organisation has a high powered, homogenous culture or a low powered heterogeneous culture they can all be changed over time.
More than behaviors need to be adjusted; the underlying norms and attitudes must be adjusted as well
21. The Security Culture Culture is not just education
Although awareness raising, training and security education are important factors that may change behaviors they alone cannot change the culture or an organization
Culture is not just governance
Policies and standards are critical to influencing the culture, as is the “tone at the top” but cannot change the culture alone
The current problem with an Information Security Culture is that there is no defined definition. Much research concurs that an information security culture is achieved when information security aspects are instilled to every employee as a natural way of doing their job (von Solms, 2000) or how things are done by the employees and the organization in relation to information security (Ngo et al., 2005) (Martins & Eloff,2002) (Kiely,2006)
Research opinions change when we begin to investigate how to change the culture to an intentional security culture. Most of the suggestions revolve around awareness training. This is not an effective means of changing a culture and does not take a systemic approach. Culture influences the entire system and so changes need to be made at the very foundation of the culture. Behaviors, attitudes and norms need to be influenced in order to get to a point where security is just encompassed into the way business is done – attitudes about information handling and protection need to be incorporated into the organization through policy design management support and business practices. Governance and education are definitely important but are insufficient on their own. Culture changes are long term solutions and need to be reinforced throughout all areas in the enterprise.
Generally, researchers agree that the security culture represents the way things are done in relation to information securityThe current problem with an Information Security Culture is that there is no defined definition. Much research concurs that an information security culture is achieved when information security aspects are instilled to every employee as a natural way of doing their job (von Solms, 2000) or how things are done by the employees and the organization in relation to information security (Ngo et al., 2005) (Martins & Eloff,2002) (Kiely,2006)
Research opinions change when we begin to investigate how to change the culture to an intentional security culture. Most of the suggestions revolve around awareness training. This is not an effective means of changing a culture and does not take a systemic approach. Culture influences the entire system and so changes need to be made at the very foundation of the culture. Behaviors, attitudes and norms need to be influenced in order to get to a point where security is just encompassed into the way business is done – attitudes about information handling and protection need to be incorporated into the organization through policy design management support and business practices. Governance and education are definitely important but are insufficient on their own. Culture changes are long term solutions and need to be reinforced throughout all areas in the enterprise.
Generally, researchers agree that the security culture represents the way things are done in relation to information security
22. How to create an Intentional Security Culture Realize this is a large undertaking and is not a short term fix
Work to establish a strong IS Governance program that includes buy in from leadership as well as functional business unit leaders – find influential leaders to help deliver key messages
Encourage collaboration between business units reducing siloed management
Gain concurrence on clear goals and objectives
Provide the knowledge, tools and skills people need to effectively handle information assets
Develop consistent processes for information handling and sharing
Develop scenario training to influence change in beliefs and attitudes
Communicate, communicate, communicate Cultural changes can happen and will take time. Small intentional changes can have ripple effects across the organization. Increasing collaboration between groups can increase trust and bring people together with a common goal. Once people begin to work together they can begin to share experiences which will help to improve relationships and attitudes.
Perceptions are important…security professionals must show that security is not an obstacle but an enabler and other people need to be able to accept that.
Cultural changes can happen and will take time. Small intentional changes can have ripple effects across the organization. Increasing collaboration between groups can increase trust and bring people together with a common goal. Once people begin to work together they can begin to share experiences which will help to improve relationships and attitudes.
Perceptions are important…security professionals must show that security is not an obstacle but an enabler and other people need to be able to accept that.
23. Benefits of an Intentional Corporate Culture Internal Trust – can demonstrate an organisation’s nimbleness.
External Trust - essential among business partners, contractors, vendors and customers.
Benefits of Consistency - when security is working, it is unobtrusive, functional and pervasive – it brings attributes of
predictability;
standardisation;
improved ability to manage risk;
improved ROI;
compliance with laws/regulations
shareholder/citizen value
24. Inhibitors to an Intentional Corporate Culture Societal Culture - The security is conditioned by the sense that its information is not under attack or it is easy to slip back into comfortable complacency.
Lack of Organisational Imperatives - it is difficult to obtain a consensus on the relative importance of various aspects of security.
Unclear Requirements - the specific requirements to fulfil the implied obligations are often unclear.
Insufficient Awareness
Systemic shortcomings - inability to detect variances in policy & culture; or to monitor and enforce compliance with the culture
Lack of Rewards – e.g. uninformed risk acceptance
7. WIFM (What’s In It For Me) – unfunded mandate; lacks management attention; personal esteem?
25. Intentional Culture of Security : Practical Aspects Changing perceptions - to erase the negativism & associate with the benefits to people of moving freely, with appropriate access.
It is People Who Make the Culture
Attributes of a Security Culture
Security Champions – who the Board listen to
Realistic Budget – to support security initiatives
Broad Accountability – shared responsibility
Awareness/Training - tailored.
Policies, Standards & Guidelines - ensure they are enforceable.
Go- No Go Decisions – requires strong leadership from the top.
Rewards – need to reward good risk-related decision making.
Rigorous response to security incidents
Satisfied Customers - demand reliability from its suppliers.
27. Broad Accountability – shared responsibility
28. Ultimate Goal: Security Culture Maturity Model
29. Information Security Culture Goal
30. Questions & Contact?