Information security strategy: it’s turtles all the way down
Information security strategy, not technology, determines the maturity of an organisation's information security culture and behaviour.
Information security strategy, not technology, determines the maturity of an organisation's information security culture and behaviour.
It is necessary to start with a brief side journey into what is meant by ‘strategy’. A strategy is not a plan, nor is it a technology. Strategy is about making choices to change behaviour. In the context of information security culture and behaviour, the strategy should deal with how individual intentions, workplace culture and organisational systems interact to elicit observable behaviour.
For example, an insider threat breach is a product of the way an individual intention (influenced by values, attitudes, commitment, responsibility, experience and emotions) to inadvertently or maliciously divulge sensitive information and interact with culture (shaped by perceptions of shared values, history, justice and fairness) and systems (the demands structures, policies, procedures and practices) to produce the observable behaviour of a security breach. Information security strategy seeks to influence this interaction positively.
There is an anecdote that expresses the view that our world rests upon an elephant, and the elephant stands upon the back of a turtle. The obvious next question is, what does the turtle stand on? The answer is that it is turtles all the way down. The same is true of information security. Our working world rests on technology, but from there on, it is people all the way down. We tend to lose sight of this when we define the problem of information security and our solution through the lens of technology alone.
What, then, are the contours of a good information security strategy?
It puts people, culture and behaviour at the centre of the strategy. It maximises the interaction between intention, culture and systems to generate positive workplace behaviours that add adaptability and resilience to the information security system.
It seeks to broaden information security cultural and behavioural competence and capability by influencing individual intention. In contrast, current approaches focus on controlling observable behaviours without addressing how people think about information security. You don't change their behaviour if you don’t motivate people to think differently.
It integrates all the available resources. The objective is mutually supporting lines of activity that lead to a desired outcome. An over-reliance on training or monitoring is unlikely to produce a sustainable effect.
It identifies and manages risk rather than evoking ‘big brother’. The Hayne Royal Commission into the financial sector has demonstrated the risk of misaligned organisational culture to performance and reputation. Culture and behaviour are not a ‘soft’ strategy to be given tepid executive attention. Together, they represent either a significant strategic strength or weakness. The ‘big brother is always watching’ compliance approach has its place, but it potentially causes more harm than good alone.
It must be led from the top, not delegated to the next available functional head. The breadth, depth, and adaptive nature of the information security challenges require constant and visible attention from the top. Leaders permit positive behaviour in the workplace and provide incentives that reinforce those behaviours. It’s turtles all the way down.
There is a need to reimagine the place of people and culture as central to information security practice and behaviour. The problem is adaptive, and the strategic solution needs to be equally adaptive.
Photo Credit:
Jeremy Bishop on Unsplash found here
