Building an Intentional Culture of Security using the

Building an Intentional Culture of Security using the Business Model for Information Security Presented by Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS

About the Presenter: Jo Stewart-Rattray • Director of Information Security, RSM Bird Cameron • Certified Information Systems Auditor • Certified Information Security Manager • Certified in the Governance of Enterprise IT • Board of Directors, ISACA International (2008 -2009) • Security Management Committee, ISACA (2006 -2009) • Chair, Security Culture Taskforce, ISACA • Member, Knowledge Board, ISACA • Member, Framework Committee, ISACA • Chair, Leadership Development Committee,

Agenda Ø A brief look at the Business Model for Information Security; Ø Discussion about the Security Culture Taskforce and its Objectives Ø Defining Culture Ø The impact and effects of Culture Ø Building a Security Culture Ø The Intentional Culture of Security

Business Model for Information Security The Business Model for Information Security was developed to address the complexity of security in a holistic and flexible manner. It is a business orientated Model that promotes a balance between protection and business. Elements • Organisation Design and Strategy • People • Process • Technology Dynamic Interconnections • Culture • Architecture • Governing • Emergence • Enabling and Support • Human Factors

Taskforce Membership Jo Stewart-Rattray, RSM Bird Cameron, Australia, (Chair) Norman Kromberg, West Corporation, Omaha, USA Rinki Sethi, e-Bay, San Jose, USA Vernon Poole, Sapphire Consulting, United Kingdom Wendy Goucher, Idrach Consulting, United Kingdom Finn Sveen, Gjøvik University College, Norway Christos Dimitriadis, Intralot, Greece (ISACA Vice President) Shannon Donohue, Director of Security Practices, ISACA Staff Liaison Steven Ross, Risk Masters, New York, USA, Project Writer

Taskforce Objectives Produce a publication that examines how culture affects the information security programme and the publication will: Ø examine how to create an intentional security culture and discuss how to utilise the Business Model for Information Security (BMIS) to this end; Ø deliver a range of methods to promote cultural growth to, in turn, help security professionals assess and understand their current culture state and provide guidance to begin moving toward an improved future state; and to Ø identify potential barriers and provide recommendations for overcoming such barriers.

Culture Defined Ø Culture is the patterns of behaviours, beliefs, assumptions, attitudes and norms in an organisation; Ø Culture is not simply defined, or limited by, what the Executive says; Ø It is not just about rules and social or organisational norms; Ø It is the ‘how stuff gets done’ in organisations.

Impact of Culture Ø Security must be enshrined into the core of corporate culture. Ø Studies show that up to 80% of productivity problems can be related to flaws that manifest in the culture such as: • Alignment problems (conflicting goals) • Attitude issues (burn out, complacency, de-sensitisation) • Decision making (lack of leadership, process too cumbersome) • Influence issues (difficulty in getting buy-in) • Innovation and creativity (personnel and productivity)

Cultural Effects Ø What factors of culture effect the overall organisational culture? • External Issues o Ethnic o Religious o Socio-economic o Geographical • Internal Issues o Past Issues (incidents or events that bring people together) o Organisational tone/posture o Priority of organisation Ø Additionally, there are many forgotten factors that can have an effect on culture; these can include age, gender, sexual orientation and personal beliefs

Sub Cultures Ø Individuals bring their beliefs and perceptions to work, which may effect their behaviour. Ø Culture is important to the security programme as it can either hinder or propel change Ø The pattern of behaviours is what makes up the organisational culture and its sub cultures Ø Sub cultures also need to be addressed – some may classify these as the way things really get done

Cultural Considerations Ø Organisations need to consider how culture impacts business and how to deal with that. Creating a culture that operates effectively with security enshrined into daily processes, beliefs and behaviours is critical Ø While an overall organisational culture exists it is important to note that cultures may also differ between business units within the same organisation. Ø This type of culture creates a supportive environment for implementing information technology and security practices.

Aspects of Culture Ø Systemic Security Management research identifies a number of aspects of culture that are of particular importance to information security: • • • Rules and Norms Tolerance for ambiguity Power Distance The Politeness Factor Context Collectivist versus Individualist

Building a Security Culture Ø It is imperative that security become a core value that is enshrined in the organisational culture Ø People need to: • be thinking about security; • be aware of how to protect information assets; • think about what is best for the organisation and its customers

Inhibitors to a Security Culture Ø Some types of cultures are more open to dealing with change than others. Ø Organisations that have a hierarchical or high power distance culture are often more rigid than egalitarian or low power distance cultures Ø Creative environments are often problematic

Inhibitors to a Security Culture Ø Poor comprehension of risk Ø Perceived lack of harm Ø Invisibility of security threats and breaches Ø Lack of organisational imperatives Ø Awareness alone is not enough Ø Lack of rewards for doing the right thing

Benefits of an Intentional Security Culture Ø Consistency of approach, actions and reactions Ø Improved Return on Security Investment Ø Shareholder/stakeholder/citizen value Ø Improved Compliance environment Ø Trust: • Internal, vendor, customer

The Intentional Security Culture How to begin to create an intentional culture Ø Realise this is a large undertaking and is not a short term fix Ø Work to establish a strong information security governance program that includes buy in from executive management as well as functional business unit leaders – find champions throughout the organisation to help deliver key messages Ø Encourage collaboration between business units reducing the silo effect Ø Gain concurrence on clear goals and objectives

The Intentional Security Culture Continued… Ø Provide the knowledge, tools and skills people need to effectively handle information assets Ø Develop consistent processes for information handling and sharing Ø Understanding the issues and potential barriers Ø Develop scenario training to influence change in beliefs and attitudes Ø Communicate, communicate

Questions