building an intentional culture of security using the business model for information security...
Post on 28-Dec-2015
215 Views
Preview:
TRANSCRIPT
Building an Intentional Culture of Security using the Business Model
for Information Security
Presented by
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS
About the Presenter: Jo Stewart-Rattray
• Director of Information Security, RSM Bird Cameron• Certified Information Systems Auditor• Certified Information Security Manager• Certified in the Governance of Enterprise IT• Board of Directors, ISACA International(2008-2009)
• Security Management Committee, ISACA
(2006-2009)
• Chair, Security Culture Taskforce, ISACA• Member, Knowledge Board, ISACA • Member, Framework Committee, ISACA• Chair, Leadership Development Committee,
Agenda
A brief look at the Business Model for Information Security;
Discussion about the Security Culture Taskforce and its Objectives
Defining Culture The impact and effects of Culture Building a Security Culture The Intentional Culture of Security
Business Model for Information Security
Elements• Organisation Design and Strategy• People• Process• Technology
Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors
The Business Model for Information Security was developed to address the complexity of security in a holistic and flexible manner. It is a business orientated Model that promotes a balance between protection and business.
Taskforce Membership
Jo Stewart-Rattray, RSM Bird Cameron, Australia, (Chair)
Norman Kromberg, West Corporation, Omaha, USA
Rinki Sethi, e-Bay, San Jose, USA
Vernon Poole, Sapphire Consulting, United Kingdom
Wendy Goucher, Idrach Consulting, United Kingdom
Finn Sveen, Gjøvik University College, Norway
Christos Dimitriadis, Intralot, Greece (ISACA Vice President)
Shannon Donohue, Director of Security Practices, ISACA Staff Liaison
Steven Ross, Risk Masters, New York, USA, Project Writer
Taskforce Objectives
Produce a publication that examines how culture affects the information security programme and the publication will:examine how to create an intentional security culture and discuss how to utilise the Business Model for Information Security (BMIS) to this end;deliver a range of methods to promote cultural growth to, in turn, help security professionals assess and understand their current culture state and provide guidance to begin moving toward an improved future state; and toidentify potential barriers and provide recommendations for overcoming such barriers.
Culture Defined
Culture is the patterns of behaviours, beliefs, assumptions, attitudes and norms in an organisation;
Culture is not simply defined, or limited by, what the Executive says;
It is not just about rules and social or organisational norms;
It is the ‘how stuff gets done’ in organisations.
Impact of Culture
Security must be enshrined into the core of corporate culture.
Studies show that up to 80% of productivity problems can be related to flaws that manifest in the culture such as: • Alignment problems (conflicting goals)
• Attitude issues (burn out, complacency, de-sensitisation)
• Decision making (lack of leadership, process too cumbersome)
• Influence issues (difficulty in getting buy-in)
• Innovation and creativity (personnel and productivity)
Cultural Effects
What factors of culture effect the overall organisational culture?• External Issues
o Ethnico Religiouso Socio-economico Geographical
• Internal Issueso Past Issues (incidents or events that bring people together)o Organisational tone/posture o Priority of organisation
Additionally, there are many forgotten factors that can have an effect on culture; these can include age, gender, sexual orientation and personal beliefs
Sub Cultures
Individuals bring their beliefs and perceptions to work, which may effect their behaviour.
Culture is important to the security programme as it can either hinder or propel change
The pattern of behaviours is what makes up the organisational culture and its sub cultures
Sub cultures also need to be addressed – some may classify these as the way things really get done
Cultural ConsiderationsOrganisations need to consider how culture
impacts business and how to deal with that. Creating a culture that operates effectively with security enshrined into daily processes, beliefs and behaviours is critical
While an overall organisational culture exists it is important to note that cultures may also differ between business units within the same organisation.
This type of culture creates a supportive environment for implementing information technology and security practices.
Aspects of Culture
Systemic Security Management research identifies a number of aspects of culture that are of particular importance to information security:
• Rules and Norms• Tolerance for ambiguity• Power Distance • The Politeness Factor• Context• Collectivist versus Individualist
Building a Security Culture
It is imperative that security become a core value that is enshrined in the organisational culture
People need to:• be thinking about security;• be aware of how to protect information assets;• think about what is best for the organisation
and its customers
Inhibitors to a Security Culture
Some types of cultures are more open to dealing with change than others.
Organisations that have a hierarchical or high power distance culture are often more rigid than egalitarian or low power distance cultures
Creative environments are often problematic
Inhibitors to a Security Culture
Poor comprehension of riskPerceived lack of harmInvisibility of security threats and breachesLack of organisational imperativesAwareness alone is not enoughLack of rewards for doing the right thing
Benefits of an Intentional Security Culture
Consistency of approach, actions and reactions
Improved Return on Security InvestmentShareholder/stakeholder/citizen valueImproved Compliance environmentTrust:
• Internal, vendor, customer
The Intentional Security CultureHow to begin to create an intentional culture Realise this is a large undertaking and is not a
short term fix Work to establish a strong information security
governance program that includes buy in from executive management as well as functional business unit leaders – find champions throughout the organisation to help deliver key messages
Encourage collaboration between business units reducing the silo effect
Gain concurrence on clear goals and objectives
The Intentional Security Culture
Continued… Provide the knowledge, tools and skills people
need to effectively handle information assets Develop consistent processes for information
handling and sharing Understanding the issues and potential barriers Develop scenario training to influence change in
beliefs and attitudes Communicate, communicate, communicate
Questions
top related