How Do I Know If I Have a Culture of Security?
Essay by people • October 12, 2011 • Essay • 1,233 Words (5 Pages) • 1,452 Views
HOW DO I KNOW IF I HAVE A CULTURE OF SECURITY?
Culture is defined as the predominating shared attitudes, values, goals, behaviors, and practices that characterize the functioning of a group or organization. So how do I know whether there is a culture of security, a critical element, within my organization- IPL Group, and within the partner organizations to which I've granted network access? Below I've identified the following set of beliefs, behaviors, capabilities, and actions that consistently indicates the presence of a culture of security in my over 10+ years in this Business:
1. Security is addressed and enacted at an enterprise level. C-level leaders understand their accountability and responsibility with respect to security for the organization, for their stakeholders, and for the communities they serve, including the Internet community.
2. Security is treated in the same fashion as any other business requirement. It is considered a cost of doing business, not a discretionary or negotiable budget line item that needs to be regularly defended. Business units and staff don't get to pick and choose how much security they want. Adequate and sustained funding and allocation of resources are a given.
3. Security is addressed during normal strategic and operational planning cycles. Security has achievable, measurable objectives that directly align with enterprise objectives. Determining how much security is enough equates to how much risk and how much exposure an organization can tolerate.
4. All functions and business units within the organization view security as part of their responsibility. The leaders of these entities understand that their performance with respect to security is measured as part of their overall job performance.
5. Security is integrated into functions and processes for risk management, human resources (hiring, firing), audit/compliance, disaster recovery, business continuity, asset management, project management, and IT operations. Security is actively considered as part of project initiation and ongoing project management, and during all phases of any software development life cycle (applications and operations).
6. All personnel who have access to enterprise networks understand their individual responsibility with respect to protecting and preserving the organization's security condition. Rewards, recognition, and consequences with respect to security policy compliance are consistently applied and re-enforced.
While the statements in the list above are roughly in priority order, determining which most are important depends on IPL Groups' own culture and business context. C-level leaders committed to establishing and sustaining a culture of security can use these statements to determine the extent to which such a culture is or needs to be present in their organizations.
After my first 30 days, I've confirmed that cyber security/Information Security is best viewed, not solely as a technology challenge, but as a corporate governance issue aligned with the Global Risk Management & Control Strategy which then evolves into the Global Enterprise Information Security Governance & Risk Management Strategy/Framework. Investments in cyber security should be tied to actual business risk in order to achieve maximum value and rational allocation of resources. Periodic risk assessment and reporting give visibility to business decision makers charged with implementation and oversight. Moreover, like quality assurance, information security requires continuous, incremental improvement over time. It is clear that information security is of critical importance. It is key to extending the enterprise to enable deep integration with partners, suppliers and customers while aiding compliance with regulations such as Sarbanes-Oxley. Importantly, information security also protects economically vital critical infrastructure from attack (e.g. SCADA Networks). I urge the IT Management Team/Board to accept the challenge and immediately take steps to adopting the prescribed Enterprise Information Security Governance Strategy/Framework below.
What is a Global Enterprise Information Security Governance Strategy/Framework & its Relevance to IPL Group?
Information security governance provides a roadmap for the implementation, evaluation, and improvement of Global Information Security practices by creating a sustainable culture of security. The benefits of an effective Global Information Security Governance Strategy/Framework include the following:
1. Improved trust in customer relationships. (Maps to IPL Value of "Treat the business as our own" and "Think Customer, Everyone. Everyday.")
2. Protecting the organization's reputation. (Maps to IPL Value of "Treat the business as our own,)
3. Decreasing likelihood of violations of privacy and potential liabilities.
4. Providing greater confidence when interacting with trading partners.
...
...