Embedding a security culture

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Thursday March 27, 2014 at 11:54am
We read nowadays of many organisations appearing in the national papers for amazing instances of data loss. Often these are household names such as high street banks and major hospitals.

I get quizzed by many owner managers as to the spectacular failures of data management and how such instances occur. All too often when investigative action has taken place, the cause is often a lack of awareness or understanding of information security protocols. And not necessarily a technical failure.

When I examine IT security failings the ‘corporate culture’ is often not properly aligned or suited to maintaining the ‘assets’ in the manner required or espoused by the security policy – if there is one.

So how should an organization go about embedding a security culture?

Firstly there must be CEO involvement. The CEO needs to understand the information security programme and the assets that must be protected. In addition the CEO must promote and foster the information security strategy. The importance of the programme must be communicated to all senior managers. Dare I say it; it must be a case of ‘walking the talk’. If staff detect no interest or buy in from the top - then such an initiative is likely to fail.

Secondly, the business as a whole needs to understand the importance of the information assets that they hold. Often data in my experience is not valued in the same way as: computers, premises or cars. Only when staff fully appreciate the importance of the data as an ‘asset’ will mindsets start to alter.

Thirdly the information security management system that is adopted must be appropriate to the business needs and not some torturous system that only a highly trained technician can fathom.

Fourthly, regular awareness and feedback sessions, where staff from all parts of the organisation are invited. If the senior management attend or even the CEO, employees will start to appreciate the importance of this activity.

Finally, and in my experience this is all too often lacking a programme of well-developed information security audits are necessary. Auditors need to be well adverse in assessing both the physical and systems part of the business, plus all the management areas that are associated. A thorough report is required, with clear evidence of findings and areas of non-compliance. The report should be submitted to the CEO who should act on findings and take an interest in closure of security concerns and breaches.

So, if you want to avoid IT security failings and data breaches my advice is to really embrace information security management within your business, rather than just paying lip service to it.


Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here