Building an Intentional Culture of Security using the Business Model

for Information Security

Presented by

Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS

About the Presenter: Jo Stewart-Rattray

• Director of Information Security, RSM Bird Cameron• Certified Information Systems Auditor• Certified Information Security Manager• Certified in the Governance of Enterprise IT• Board of Directors, ISACA International(2008-2009)

• Security Management Committee, ISACA

(2006-2009)

• Chair, Security Culture Taskforce, ISACA• Member, Knowledge Board, ISACA • Member, Framework Committee, ISACA• Chair, Leadership Development Committee,

Agenda

A brief look at the Business Model for Information Security;

Discussion about the Security Culture Taskforce and its Objectives

Defining Culture The impact and effects of Culture Building a Security Culture The Intentional Culture of Security

Business Model for Information Security

Elements• Organisation Design and Strategy• People• Process• Technology

Dynamic Interconnections• Culture• Architecture• Governing• Emergence• Enabling and Support• Human Factors

The Business Model for Information Security was developed to address the complexity of security in a holistic and flexible manner. It is a business orientated Model that promotes a balance between protection and business.

Taskforce Membership

Jo Stewart-Rattray, RSM Bird Cameron, Australia, (Chair)

Norman Kromberg, West Corporation, Omaha, USA

Rinki Sethi, e-Bay, San Jose, USA

Vernon Poole, Sapphire Consulting, United Kingdom

Wendy Goucher, Idrach Consulting, United Kingdom

Finn Sveen, Gjøvik University College, Norway

Christos Dimitriadis, Intralot, Greece (ISACA Vice President)

Shannon Donohue, Director of Security Practices, ISACA Staff Liaison

Steven Ross, Risk Masters, New York, USA, Project Writer

Taskforce Objectives

Produce a publication that examines how culture affects the information security programme and the publication will:examine how to create an intentional security culture and discuss how to utilise the Business Model for Information Security (BMIS) to this end;deliver a range of methods to promote cultural growth to, in turn, help security professionals assess and understand their current culture state and provide guidance to begin moving toward an improved future state; and toidentify potential barriers and provide recommendations for overcoming such barriers.

Culture Defined

Culture is the patterns of behaviours, beliefs, assumptions, attitudes and norms in an organisation;

Culture is not simply defined, or limited by, what the Executive says;

It is not just about rules and social or organisational norms;

It is the ‘how stuff gets done’ in organisations.

Impact of Culture

Security must be enshrined into the core of corporate culture.

Studies show that up to 80% of productivity problems can be related to flaws that manifest in the culture such as: • Alignment problems (conflicting goals)

• Attitude issues (burn out, complacency, de-sensitisation)

• Decision making (lack of leadership, process too cumbersome)

• Influence issues (difficulty in getting buy-in)

• Innovation and creativity (personnel and productivity)

Cultural Effects

What factors of culture effect the overall organisational culture?• External Issues

o Ethnico Religiouso Socio-economico Geographical

• Internal Issueso Past Issues (incidents or events that bring people together)o Organisational tone/posture o Priority of organisation

Additionally, there are many forgotten factors that can have an effect on culture; these can include age, gender, sexual orientation and personal beliefs

Sub Cultures

Individuals bring their beliefs and perceptions to work, which may effect their behaviour.

Culture is important to the security programme as it can either hinder or propel change

The pattern of behaviours is what makes up the organisational culture and its sub cultures

Sub cultures also need to be addressed – some may classify these as the way things really get done

Cultural ConsiderationsOrganisations need to consider how culture

impacts business and how to deal with that. Creating a culture that operates effectively with security enshrined into daily processes, beliefs and behaviours is critical

While an overall organisational culture exists it is important to note that cultures may also differ between business units within the same organisation.

This type of culture creates a supportive environment for implementing information technology and security practices.

Aspects of Culture

Systemic Security Management research identifies a number of aspects of culture that are of particular importance to information security:

• Rules and Norms• Tolerance for ambiguity• Power Distance • The Politeness Factor• Context• Collectivist versus Individualist

Building a Security Culture

It is imperative that security become a core value that is enshrined in the organisational culture

People need to:• be thinking about security;• be aware of how to protect information assets;• think about what is best for the organisation

and its customers

Inhibitors to a Security Culture

Some types of cultures are more open to dealing with change than others.

Organisations that have a hierarchical or high power distance culture are often more rigid than egalitarian or low power distance cultures

Creative environments are often problematic

Inhibitors to a Security Culture

Poor comprehension of riskPerceived lack of harmInvisibility of security threats and breachesLack of organisational imperativesAwareness alone is not enoughLack of rewards for doing the right thing

Benefits of an Intentional Security Culture

Consistency of approach, actions and reactions

Improved Return on Security InvestmentShareholder/stakeholder/citizen valueImproved Compliance environmentTrust:

• Internal, vendor, customer

The Intentional Security CultureHow to begin to create an intentional culture Realise this is a large undertaking and is not a

short term fix Work to establish a strong information security

governance program that includes buy in from executive management as well as functional business unit leaders – find champions throughout the organisation to help deliver key messages

Encourage collaboration between business units reducing the silo effect

Gain concurrence on clear goals and objectives

The Intentional Security Culture

Continued… Provide the knowledge, tools and skills people

need to effectively handle information assets Develop consistent processes for information

handling and sharing Understanding the issues and potential barriers Develop scenario training to influence change in

beliefs and attitudes Communicate, communicate, communicate

Questions