With information security now demanding a significant level of attention
from organizations, the traditional approach of identifying risk in purely technical terms has proven insufficient. Please consider the areas that truly affect information security and integrate those findings into an overall risk management study to ensure an effective and appropriate technology program.
I believe the greatest information security threat is corporate culture. Culture baffles people that have never had to struggle with it. As a third culture kid (Dept. of State, 2010) Iâ€™ve struggled to explain myself culturally most of my life. I know I think differently even though I carry and American ...view middle of the document...
The assumption of a number system makes a big difference in how we think, the limits we place upon ourselves, and whether we successfully communicate. Culture generally has a rational logic based upon assumptions.
When I read through Todd Fitzgeraldâ€™s article in the Information Security Management Handbook (Fitzgerald, 2007), my first reaction was more blah, blah, blah. Iâ€™ve lived through it and seen it in several companies. Work on these critical success factors and you will succeed. Most give up in frustration or rely more on dictated power than consensus. I do acknowledge truth in the success factors but, it is also true that manage hasnâ€™t done its root cause analysis to determine the flawed cultural logic and its assumption. As a result, the cultural change fails.
To Fitzgeraldâ€™s credit, he does address some of managementâ€™s problem in addressing corporate culture (Fitzgerald, 2007, p108-109). Western, and specifically American, culture is not very tolerant of a manager that will stand up and say our corporate culture has these flaws and this is where we need to get to fix these flaws. Instead, managers often provide excuses for the required change blaming it on legislation like Sarbanes-Oxley or internationally outsource the manufacture of parts to companies not regulated by American law. Fitzgerald puts a different perspective on things but when I read the section on researching other organizations, my first thought was that the companies researched often outsource or transfer their security problem to another organization.
Providing an excuse allows a manager to not take the blame for cultural change from other managers. I was working a remediation problem for a major bank which was centralizing security management. Database administrators, branch offices, and security controls on brokerage accounts were all converted to a centralized system. When the question was asked why we were doing this, the answer was always because the comptroller of the currency, Sarbanes-Oxley, and Graham-Leach-Bliley say we have too. To refer to Fitzgeraldâ€™s critical success factors, a vision may have been articulated at one time but in the end the reason for the security remediation was because the law said we had too. People gave up control of security to the centralized security group kicking and screaming as slowly as possible.
To put together a corporate culture where security is truly integrated into the culture either takes a lot of time and the willingness to point out cultural flaws for what they are and watching management address them openly and honestly. Employees need to think and feel that they are trusted and willing to follow the leadership of the company. A lot of security changes impose controls and limits on what employees can do. Some controls actually watch what people do. If people donâ€™t feel trusted, they wonâ€™t trust the cultural change by changing their assumptions and logic.