Another commonly held view across Information Security communities is that Information Security needs to be everybody’s responsibility.
This is the cliché against which countless Security awareness development programmes have been justified – and while there is an element of truth in the fact that each employee can do something at their level to protect the organisation against threats, this is true across the board and is not specific to Information threats.
In practice, most awareness programmes are missing the point by focusing excessively on a technical message to the detriment of the emotional message. Employees will only change their attitudes to protect the organisation if they care about it to start with. To be effective over the long-term, awareness programmes should insist primarily on those emotional aspects – in a way similar to public campaigns targeted at anti-alcohol abuse or road safety have been structured, and develop the protective bond between the employee and the company. And measuring progress should be built-in from the start, through the definition of key indicators and internal focus groups or polling methods.
Of course, this is far more complex (and costly) than distributing leaflets or mouse mats – and it would force the CISO to work across silos with HR and other corporate functions. Results are hard to predict, let alone return on investment, and can only be rooted in the corporate culture of each organisation. While well-designed long-term awareness programmes can be an element in the machinery that drives change, when structured around an opportunistic technical angle – and without metrics to measure progress – they can be a catastrophic waste of money.
The CIO must not look at those as any kind of “silver bullet” to deliver change in the Security space, even in very large organisations where it seems nothing else could be practically delivered on a global scale due to complex geographical or business spread (and in actuality those very aspects could make awareness programmes even more difficult to drive).
Driving change in the Information Security space is complex and takes time. It can only stem from a clear long-term vision and from the clear assignment of accountabilities, responsibilities and reporting lines at the top – backed by the right HR provisions in terms of performance management and rewards for key actors.
Information Security cannot be just “everybody’s responsibility”. Over time it may just become “nobody’s responsibility”. It needs to be “somebody’s responsibility” and that person can only be the CISO.
The CIO must ensure that the CISO is clearly and unambiguously accountable for ensuring that the right controls are in place across the organisation, backed by an Information Security Governance Framework that ensures that accountabilities and responsibilities are cascaded down to all relevant stakeholders.
CIOs can refer to our April 2015 article “Organising InfoSec for Success” for a more detailed analysis on some of these aspects.
Managing Director – Corix Partners
www.corixpartners.com
This article is part of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.