Senior managers play a pivotal role in championing a culture which is resilient, adaptable and open to change. However they are not alone in this: they need to work closely with information security professionals, line managers and front line staff to ensure that information risks are considered across the organisation.
A good way of seeing how well your organisation is managing its risk is by thinking about whether these four aspects of good culture resemble what happens in your workplace.
An informed culture
Business leaders should actively promote a supportive security culture, ensuring staff are aware of the current threats to their information assets. Staff also need to be given information on incidents that have occurred, what has been learned and what has changed as a result. Training should be endorsed as an important aid for all staff, not only at work but in their personal lives. If people have a good understanding of how to protect their own personal information they will have a better understanding of the threats to the organisation’s data.
A learning culture
Staff should acknowledge that mistakes will sometimes occur, especially in a working environment where changes are constantly happening. Reporting incidents is important as it enables the organisation to learn what went wrong and why, and the scale of the problem. It can also encourage, when necessary, a change in procedures or policy. If incidents are covered up and changes aren’t made, mistakes could be repeated. Staff should be assured that they can report in confidence and issues will be handled consistently and without bias.
A just culture
Staff must have confidence that any loss or compromise of information, whether due to human error or malicious intent, will be handled in a fair and consistent manner that is applied across the whole organisation. If there are certain practices that could lead to disciplinary action, for example looking up family members on a company database, then staff need to be clear about what these are and the possible penalties of breaking the rules.
A skilled culture
All staff should feel confident adapting their attitude to information risk in response to changing business demands, policies and procedures. They should ensure everyday actions and attitudes contribute to a supportive security culture. Where staff are not confident in what they need to be doing to work securely they should have confidence to request training and guidance. A previous blogpost gave an entry level introduction to information risk and may be a good starting point for staff uncertain with the principles involved.
If senior managers can look at their organisation and feel reassured that these four pillars are in place then they will have gone a long way to making sure that their information risks are being managed effectively.