From compliance to resilience: people, culture and information security
Technology has changed the way our organisations function and the way we work, but the scaffolding of the older structure remains in place.
Organisations and workforces take time and effort to rework.
Our attention is drawn to destructive cyber-attacks such as WannaCry and NotPetya that give us a glimpse into what sophisticated and malicious attackers can achieve in our interdependent information systems. However, simple exposure of stolen materials such as ‘Collection #1’, which provided over 21 million unique user passwords, shows that such outcomes are not restricted to expert hackers.
The human is both an asset and a liability in information security. Our information security culture often views humans with deep suspicion. Human behaviour is seen as malicious, complacent, or ignorant. This shapes our organisational actions and creates a culture and often counter-productive behaviours. This leads us to position the human contribution to information security systems in a specific way. And this is the problem.
Language is revealing, the structure is persistent, and people adapt.
The language used to describe people as part of our information security systems is revealing. We talk about ‘social engineering’, ‘patching the human’, and building the ‘human firewall’. The sense is that we are wiring the human into the machine as we would another technology component. In doing so, we limit the capacity and capability of the most adaptable part of our organisations to adapt and respond.
We need to step back to look at our organisations with clear eyes. The information technologies we have been importing into our organisations over the past 25 years brought an alien organisational philosophy. This philosophy entered a highly adapted, industrial-age organisational and social architecture. Technology has changed and continues to change the way our organisations function and the way we work, but the scaffolding of the older structure remains in place. Organisations and workforces take considerable time and effort to rework.
The workforce is the first to feel the incongruities, tensions, and disorder as the new clashes with the old. The possibilities of new ways of working and organising run up against the ingrained habits of known processes, practices and procedures. They clash with the scaffolding of the older, dominant organisational culture.
In all organisations, people are the shock absorbers that mediate between a changing environment and an organisation’s capacity to adapt. The workforce is the organisation’s buffer against uncertainty. It is also the principal way an organisation absorbs change and adapts.
Compliance is a defining feature of information security culture
We establish a compliance-based culture grounded in control by positioning people as another interchangeable part of the information security machinery. We have listed the characteristics of this culture below. This information has been gathered from talking with information security professionals and users.
People often express a tension between their ability to contribute positively to information security and the expectations of security culture. This contributes to a reserved or passive attitude to information security. A positive situation would be that the contribution people want to make to information security and the expectations of culture are mutually reinforcing. In our experience, this is a rarer observation.
The features of a compliant information security culture are:
Information security is seen as regulation and a set of rules to be followed, with little understanding or attention as to why it is significant.
Information Security is perceived as a ‘technical’ solution – in which people and culture are just one of many weak links to be addressed.
Leaders, managers and employees do not feel empowered to participate in security but feel forced to comply.
‘Minor’ breaches or ‘odd’ behaviour are not seen as significant and, therefore, of no natural consequence, so no action is taken.
When breaches occur, there is little understanding of the potential implications and how to use that occurrence as a learning opportunity.
There is not a feeling of individual or collective accountability for information security.
The practice of information security is punitive and policy-based.
The information and tools that inform a protective security culture become rules-based, impenetrable, and incontestable.
Reputation management and the secrecy of breaches are central to sustaining an internally focused culture.
A compliance culture stems from a management approach that sees people as sources of weakness that cannot be trusted, requiring close supervision, lacking commitment, and being behaviourally compliant. From this cultural mindset, we get the language like ‘patching the human’.
Toward a positive information security culture
Today, we are doing what is managerially easy. There is less risk and less effort in building a compliance culture. But we know that training for compliance does not work, cultivated apathy does not help, and coercion often begets unintended behaviours.
Changing culture is not a ‘technical’ task to be engineered into place. It requires understanding how motivation, incentives, leadership and governance interact to trigger behaviours – desired and undesired. Shaping a positive information security culture and behaviours combines a person’s motivation, ability, and perhaps most importantly, the permission to behave positively.
There is a way forward to a more positive approach to information security that places people and culture at the centre of an information security system that is more resilient, adaptive, and effective.
This post was first published here
