CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.
The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.
Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.
The truth is – so far – there has been little change. Security is still seen primarily as a purely technical discipline, and perceived by most managers and companies as unnecessary costs and bureaucracy.
The great challenge is not technology related at all. Cloud, big data, business transactions, data leakage, for each risk item there are numerous technologies that could be implemented as a solution. However, all this seems simple compared to the stress of creating a strong culture of cyber security that encompass strategy, mature processes and, especially, people.
How about a good practical example, a somewhat recent case? Well, if you follow information security on the news, it is more than likely you heard about the Target data leak. The incident, took place in late 2013, very close to the holidays season, the intrusion began at a third party computer, from the HVAC vendor, and evolved into the installation of malicious code in POS (points of sale, where customer information is read).
The resulting leak included 40 million credit and debit card records, and 70 million customer records. The consequences? How about financial result amounting loses up to approximately USD 148 million, plus a fine of USD 10 million. Sum it with both the CIO and CSO resignation, and brand damage that is not likely to be forgotten anytime soon. Yeah, that’s not what I call a very good 2013 Christmas.
Ok, the whole incident is now common knowledge, but what often goes unnoticed is the fact that Target had a good team of Information/IT Security team. This same team advised the upper management, months before the occurrence of the incident, about several critical vulnerabilities, that required to be fixed in order to ensure a secure environment. During the actual intrusion, several warnings were sent to management, about a possible malware (yeah, the same one that in the end led to the invasion). Both situations were promptly neglected the business, who preferred to focus on the Christmas sales.
Who is to blame? The business that disregarded sound advice, or the Security Team, that even throughout a possible invasion, failed to properly communicate the facts in business terms? Well, this is the problem with a poor cybersecurity corporate culture: It allows for the creation of an abysmal gap between who focus on sales and the team trying to protect the organization.
The solution is not as simple as it seems. We need to create communication bridges between the Information Security Team and business, from the operational to strategic level. To limit information security efforts to technological controls, and avoid the challenge of creating a proactive cybersecurity mindset is a recipe for utter failure.
Do you care to make InfoSec work the right way? Take your time to understand how to communicate with the business and senior management, not in terms of bit-byte and zero-one, but focusing on the business objectives and how these may be affected by the lack of good security controls. Do this well and, who knows, one day you might actually be remembered as Pontifex Maximus.