1 / 29

BMIS: Creating an Intentional Culture Vernon Poole Sapphire

Session Goals. Consider the current problems information security professionals face in regards to organizational cultureEvaluate traditional approaches used to address these problemsIntroduce systemic thinking as a better way of thinking about information protection solutionsDiscuss how cultu

sen
Download Presentation

BMIS: Creating an Intentional Culture Vernon Poole Sapphire

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. BMIS: Creating an Intentional Culture Vernon Poole – Sapphire

    2. Session Goals Consider the current problems information security professionals face in regards to organizational culture Evaluate traditional approaches used to address these problems Introduce systemic thinking as a better way of thinking about information protection solutions Discuss how culture impacts the security program Have a mutually beneficial exchange of ideas

    3. Business Model for Information Security Objective Briefly introduce the model and the dynamic interconnections. Explain that the model is flexible and that it may not look like this when beginning a program but the goal is balance and equilibrium.Objective Briefly introduce the model and the dynamic interconnections. Explain that the model is flexible and that it may not look like this when beginning a program but the goal is balance and equilibrium.

    4. Challenges Internal information security breaches continue to increase Many problems appear not to have been solved even though information security awareness programs have become common Humans often tend to be the greatest threat to information security People Avoid controls Lose mobile equipment Are unaware of how to properly handle information assets Objective – Highlight Challenges Common challenges are that: Past experiences are not retained so organizations do not learn from previous incidents. Information Security is a relatively young profession so there is a lack of research and information available to information security managers to use in decision making. Information Security professionals have often come from IT where they did not have the opportunity to learn business skills. It is therefore necessary for information security professionals to learn about the enterprise so that they can align the security program with enterprise objectives.Objective – Highlight Challenges Common challenges are that: Past experiences are not retained so organizations do not learn from previous incidents. Information Security is a relatively young profession so there is a lack of research and information available to information security managers to use in decision making. Information Security professionals have often come from IT where they did not have the opportunity to learn business skills. It is therefore necessary for information security professionals to learn about the enterprise so that they can align the security program with enterprise objectives.

    5. Culture & Its Impact There are many definitions available for culture but according to Systemic Security Management (SSM) culture can be defined as the patterns of behaviors, beliefs, assumptions, attitudes and norms. It is the ‘how stuff gets done’ of organizations Security must be worked into the corporate culture. Studies show that up to 80% of productivity problems can be related to flaws in the system that manifest in the culture such as Alignment problems (conflicting goals) Attitude issues (burn out, complacency) Decision making (lack of a leader, too cumbersome) Influence issues (difficulty getting buy-in) Innovation and creativity (personnel and productivity It is important that people do not underestimate the importance of culture. Culture definitions should not be limited to what the top executive pushes down (although that is a component) or to rules, but rather patterns of behaviors, things people assume and the beliefs that exist throughout the organization. If the rules say that everyone must attend security awareness training online but no managers ask their employees to do so, or ask them in a way that deemphasizes the importance of the effort than people may belief that security is not something they need to worry about. The how stuff gets done is interesting. Take for example, the procedures in place for password resets…they are no good if everyone knows the real w to get it done quickly is to go ask Joe in IT to do it right away. Once people tell thins to new employees and the behaviors are transferred they become a norm…it then becomes the unofficial procedure.It is important that people do not underestimate the importance of culture. Culture definitions should not be limited to what the top executive pushes down (although that is a component) or to rules, but rather patterns of behaviors, things people assume and the beliefs that exist throughout the organization. If the rules say that everyone must attend security awareness training online but no managers ask their employees to do so, or ask them in a way that deemphasizes the importance of the effort than people may belief that security is not something they need to worry about. The how stuff gets done is interesting. Take for example, the procedures in place for password resets…they are no good if everyone knows the real w to get it done quickly is to go ask Joe in IT to do it right away. Once people tell thins to new employees and the behaviors are transferred they become a norm…it then becomes the unofficial procedure.

    6. Aspects of Culture What aspects of culture effect the overall organizational culture ? External Issues (Ethnic; Religious; Socio-economic; Geographical) Internal Issues (Incidents; Organizational tone; Priorities) Additionally, many factors effect culture that are often forgotten such as age, gender, sexual orientation and personal beliefs Culture is important to the security program - it can either hinder or propel change Shown to be deterministic of what information individuals take in and what facts are acted on. Individuals bring their beliefs & perceptions to work, which may effect their behavior. The pattern of behaviors is what makes up the organizational culture Sub cultures also need to be addressed – some may classify these as the way things get done

    7. Culture & Its Business Impact Organisations need to consider how culture impacts business and how to account for that. Creating a culture that operates effectively with security entwined into daily processes, beliefs and behaviors is critical While an overall organizational culture exists it is important to note that cultures may also differ between business units this may be the result of awards systems. Using sales as an example they are often motivated to produce as their income depends on it. This security culture creates a supporting environment for implementing data and network security practices.

    8. Cultural Research SSM research identifies 6 aspects of culture that are of particular importance to information security issues: Rules and Norms Tolerance for ambiguity Power Distance The Politeness Factor Context Collectivist vs. Individualist

    9. 1. Rules & Norms Rules can be written or unwritten Norms can be described as deeply held assumptions that manifest as repetitive behaviors and are enshrined in organizational culture People within the system observe other’s behaviors who are seen as successful and often repeat those attitudes and behaviors – this creates a norm These can be detrimental or helpful to security depending on the behavior

    10. 2. Tolerance for Ambiguity “refers to the ability to react to new, different, and at times unpredictable situations with little visible discomfort or irritation.” Harris & Moron, 1993 Norms must be able to be flexible, resilient and adaptable Where tolerance is too high it may cause mistakes or oversights while too where tolerance is too low it may cause a system to be too rigid and will therefore disallow change. Finding a balance is important

    11. 3. Power Distance Refers not only to the organization chart but to informal beliefs and norms High Power Differential – organization with clear differentiation between individuals, authorities and roles Low Power Differential – organization where reporting structures are blurry and everyone is perceived as equal The type of power distance will effect information flow as well as roles and responsibilities

    12. 4. The Politeness Norm Seen in High Power Differential organizations and is effected greatly by geography People may see security problems but do not acknowledge them as it may put a person in a position of authority in an awkward situation where they have to save face. The politeness norm is not limited to being polite. Individuals may be afraid to say something when they notice a problem if they are afraid of repercussions. This is clear in the example of Korean Airlines having seventeen times more plane crashes than any American air carrier between 1988 and 1998 – this has been attributed to cultural issues where in Korea High Powered Differential Index is so high that a subordinate first officer would never tell a captain that something was wrong. The captains were in charge and did not take direction from someone lower on the chain of command – subordinates knew this and remained quiet even in the face of disaster – the airline suffered tremendously in relation to its reputation, safety ratings and customer loyalty. A cultural change was needed and an American, David Greenberg, was brought in to revamp the enterprise – he brought with him Alteon - a subsidiary of Boeing to reinvent training programs, insisted on English being the language of Korean Airlines – so pilots could communicate with Air Traffic Control ...as a result of the fundamental changes in the organizations DNA Korean Airlines completely reinvented itself, brought its safety rating back up and received an award for its transformation. (Gladwell, 2008)The politeness norm is not limited to being polite. Individuals may be afraid to say something when they notice a problem if they are afraid of repercussions. This is clear in the example of Korean Airlines having seventeen times more plane crashes than any American air carrier between 1988 and 1998 – this has been attributed to cultural issues where in Korea High Powered Differential Index is so high that a subordinate first officer would never tell a captain that something was wrong. The captains were in charge and did not take direction from someone lower on the chain of command – subordinates knew this and remained quiet even in the face of disaster – the airline suffered tremendously in relation to its reputation, safety ratings and customer loyalty. A cultural change was needed and an American, David Greenberg, was brought in to revamp the enterprise – he brought with him Alteon - a subsidiary of Boeing to reinvent training programs, insisted on English being the language of Korean Airlines – so pilots could communicate with Air Traffic Control ...as a result of the fundamental changes in the organizations DNA Korean Airlines completely reinvented itself, brought its safety rating back up and received an award for its transformation. (Gladwell, 2008)

    13. 5. Context Need or lack of need of shared backgrounds - High context cultures depend on shared experiences & are usually more homogenous; Low context cultures are more individualistic & heterogeneous - Culture changes must begin as low context Individuals are brought into groups such as security steering committees You can begin to strive towards becoming high context & more homogenous This can be done by sharing experiences and information This can increase collaboration & trust but takes a long time to establish High Context Cultures - depend on shared experiences to have meaning & require fewer words because people “know” Low Context Cultures - do not depend on shared experiences; require more words to have meaning; increased complexity as information handling needs are increased; have more documentation

    14. 6. Collectivist v Individualist We vs. Me Many organisations trying to get to WE perspective – this is difficult in a weak economy with a high unemployment rate as people may tend to look out for themselves What’s best for the organisation is important for security culture – if people have loyalty to the organisation they are more likely to handle information in a secure manner. Well established and well communicated strategy and goals can help organizations get to the WE perspective Organisations need to have security engrained so deeply into their DNA that people do not have to think about doing something securely – they just do

    15. Culture & the System The organizational culture effects the entire corporate system. Being prepared to deal with change is essential. Some types of cultures are more open to dealing with change than others. Organizations that have a hierarchical or high power distance culture are often more rigid than egalitarian or low power distance cultures

    16. BMIS : Social Network example Used primarily by younger population Is it accepted by others in the organisation How is security included into technical solutions Social network tools affect the organisation in many ways Culture Governing Enabling and Support Emergence Architecture Process Generation Y is becoming a population of its own in enterprises. They bring with them vast knowledge in technology as they have been raised as ‘digital natives’ and they also bring with them a set of expectations. In many organizations use of the internet, texting, and social network sites has been prohibited however this attitude is changing and companies are realizing that to gain maximum productivity from these employees they need to make some accommodations. In order to attract and retain employees in this generation many organizations are embracing the web 2.0 services and not only allowing employees to utilize these sites but also creating facebook, linkedin, myspace and twitter pages for the organization. The use of services such as these has enterprise wide implications, both positive and negative. There are governance issues such as policies and standards that need development, the technology, architecture and infrastructure are all impacted and as a result of traffic, provisioning and bandwidth requirements may need to be adjusted. There are also issues that will happen without advance notice – this falls into the emergence category. The issues that emerge could be good such as increased collaboration and productivity but could also be negative such and risks need to be managed. Social network and web 2.0 technologies provide a good example of how a change in employee age has impacted the way business is done. As we can see this appears to be an issue that effects culture but has reaches into every branch in BMIS. *If social network tools are not being accepted in your region please discuss how the unacceptance is affecting the organizational culture.Generation Y is becoming a population of its own in enterprises. They bring with them vast knowledge in technology as they have been raised as ‘digital natives’ and they also bring with them a set of expectations. In many organizations use of the internet, texting, and social network sites has been prohibited however this attitude is changing and companies are realizing that to gain maximum productivity from these employees they need to make some accommodations. In order to attract and retain employees in this generation many organizations are embracing the web 2.0 services and not only allowing employees to utilize these sites but also creating facebook, linkedin, myspace and twitter pages for the organization. The use of services such as these has enterprise wide implications, both positive and negative. There are governance issues such as policies and standards that need development, the technology, architecture and infrastructure are all impacted and as a result of traffic, provisioning and bandwidth requirements may need to be adjusted. There are also issues that will happen without advance notice – this falls into the emergence category. The issues that emerge could be good such as increased collaboration and productivity but could also be negative such and risks need to be managed. Social network and web 2.0 technologies provide a good example of how a change in employee age has impacted the way business is done. As we can see this appears to be an issue that effects culture but has reaches into every branch in BMIS. *If social network tools are not being accepted in your region please discuss how the unacceptance is affecting the organizational culture.

    17. BMIS : Social Network example BMIS provides a way for the security manager to look at all the areas that may be impacted either by the issue itself, or by an attempt to control it Allowing for flexibility the model can accommodate all of the process, technology, policy and educational needs a security manager would face when making accommodations for something such as social networking The systems thinking concepts such as feedback and delay would also enable the manager anticipate how changes will affect the organization as a system.

    18. The Security Culture It is imperative that security become a core value that is enshrined in the organizational culture People need to be thinking about security People need to be aware of how to protect information assets People need to think about what is best for the enterprise and its customers One more important aspect of culture is perception. If management claims to commit but does not adjust its pattern of behaviors employees will know that they don’t have to change their behaviors. This has adverse effect on process, governance, emergence and technology.

    19. The Security Culture A culture that is cognizant of information security issues would have the people, the security program and the organization aligned. Policies, Standards and procedures well defined and well communicated (and enforced) Strong support from executive management Continual awareness and training programs People that understand that security is a priority and practice good habits with regard to information handling

    20. The Security Culture The Intentional Security Culture Kiely (2006) suggests creating an intentional security culture Culture must include above mentioned aspects but really needs to integrate security into the DNA of the organizational culture Whether the organisation has a high powered, homogenous culture or a low powered heterogeneous culture they can all be changed over time. More than behaviors need to be adjusted; the underlying norms and attitudes must be adjusted as well

    21. The Security Culture Culture is not just education Although awareness raising, training and security education are important factors that may change behaviors they alone cannot change the culture or an organization Culture is not just governance Policies and standards are critical to influencing the culture, as is the “tone at the top” but cannot change the culture alone The current problem with an Information Security Culture is that there is no defined definition. Much research concurs that an information security culture is achieved when information security aspects are instilled to every employee as a natural way of doing their job (von Solms, 2000) or how things are done by the employees and the organization in relation to information security (Ngo et al., 2005) (Martins & Eloff,2002) (Kiely,2006) Research opinions change when we begin to investigate how to change the culture to an intentional security culture. Most of the suggestions revolve around awareness training. This is not an effective means of changing a culture and does not take a systemic approach. Culture influences the entire system and so changes need to be made at the very foundation of the culture. Behaviors, attitudes and norms need to be influenced in order to get to a point where security is just encompassed into the way business is done – attitudes about information handling and protection need to be incorporated into the organization through policy design management support and business practices. Governance and education are definitely important but are insufficient on their own. Culture changes are long term solutions and need to be reinforced throughout all areas in the enterprise. Generally, researchers agree that the security culture represents the way things are done in relation to information securityThe current problem with an Information Security Culture is that there is no defined definition. Much research concurs that an information security culture is achieved when information security aspects are instilled to every employee as a natural way of doing their job (von Solms, 2000) or how things are done by the employees and the organization in relation to information security (Ngo et al., 2005) (Martins & Eloff,2002) (Kiely,2006) Research opinions change when we begin to investigate how to change the culture to an intentional security culture. Most of the suggestions revolve around awareness training. This is not an effective means of changing a culture and does not take a systemic approach. Culture influences the entire system and so changes need to be made at the very foundation of the culture. Behaviors, attitudes and norms need to be influenced in order to get to a point where security is just encompassed into the way business is done – attitudes about information handling and protection need to be incorporated into the organization through policy design management support and business practices. Governance and education are definitely important but are insufficient on their own. Culture changes are long term solutions and need to be reinforced throughout all areas in the enterprise. Generally, researchers agree that the security culture represents the way things are done in relation to information security

    22. How to create an Intentional Security Culture Realize this is a large undertaking and is not a short term fix Work to establish a strong IS Governance program that includes buy in from leadership as well as functional business unit leaders – find influential leaders to help deliver key messages Encourage collaboration between business units reducing siloed management Gain concurrence on clear goals and objectives Provide the knowledge, tools and skills people need to effectively handle information assets Develop consistent processes for information handling and sharing Develop scenario training to influence change in beliefs and attitudes Communicate, communicate, communicate Cultural changes can happen and will take time. Small intentional changes can have ripple effects across the organization. Increasing collaboration between groups can increase trust and bring people together with a common goal. Once people begin to work together they can begin to share experiences which will help to improve relationships and attitudes. Perceptions are important…security professionals must show that security is not an obstacle but an enabler and other people need to be able to accept that. Cultural changes can happen and will take time. Small intentional changes can have ripple effects across the organization. Increasing collaboration between groups can increase trust and bring people together with a common goal. Once people begin to work together they can begin to share experiences which will help to improve relationships and attitudes. Perceptions are important…security professionals must show that security is not an obstacle but an enabler and other people need to be able to accept that.

    23. Benefits of an Intentional Corporate Culture Internal Trust – can demonstrate an organisation’s nimbleness. External Trust - essential among business partners, contractors, vendors and customers. Benefits of Consistency - when security is working, it is unobtrusive, functional and pervasive – it brings attributes of predictability; standardisation; improved ability to manage risk; improved ROI; compliance with laws/regulations shareholder/citizen value

    24. Inhibitors to an Intentional Corporate Culture Societal Culture - The security is conditioned by the sense that its information is not under attack or it is easy to slip back into comfortable complacency. Lack of Organisational Imperatives - it is difficult to obtain a consensus on the relative importance of various aspects of security. Unclear Requirements - the specific requirements to fulfil the implied obligations are often unclear. Insufficient Awareness Systemic shortcomings - inability to detect variances in policy & culture; or to monitor and enforce compliance with the culture  Lack of Rewards – e.g. uninformed risk acceptance 7. WIFM (What’s In It For Me) – unfunded mandate; lacks management attention; personal esteem?

    25. Intentional Culture of Security : Practical Aspects Changing perceptions - to erase the negativism & associate with the benefits to people of moving freely, with appropriate access. It is People Who Make the Culture Attributes of a Security Culture Security Champions – who the Board listen to Realistic Budget – to support security initiatives Broad Accountability – shared responsibility  Awareness/Training - tailored. Policies, Standards & Guidelines - ensure they are enforceable. Go- No Go Decisions – requires strong leadership from the top. Rewards – need to reward good risk-related decision making. Rigorous response to security incidents Satisfied Customers - demand reliability from its suppliers.

    27. Broad Accountability – shared responsibility

    28. Ultimate Goal: Security Culture Maturity Model

    29. Information Security Culture Goal

    30. Questions & Contact?

More Related