I recently read an article called The Enemies of Data Security: Convenience and Collaboration, posted by Carl S. Young on the Harvard Business Review website.
My experience with academic papers on information security is that most of them don’t deal with real world problems. However, this short, interesting post succinctly articulates several ideas that are very relevant to business. In fact, I bet some of the examples I describe below sound like your shop.
Young begins:
“It is natural to view IT as both the cause and the cure for cyber security problems. After all, attackers typically steal information by exploiting a technology-related vulnerability. In addition, IT networks are usually the scene of the crime, and their inner workings are a mystery to most users and therefore a focus of suspicion. It is also tempting to believe that using sophisticated security devices alone will offer protection from cyber threats. However, such a view ignores fundamental drivers of information security risk: organizational culture and the behaviors that result from it.
Two aspects of a company’s culture have outsized effects on the security of its information: the organization’s tolerance for inconvenience and the degree of collaboration across business units and among employees.”
Organizational culture and the behaviors fostered by it are the fundamental drivers of information security risk. And two aspects of the organization’s culture have a disproportionate effect:
- Tolerance for inconvenience
- Degree of collaboration
Tolerance for Inconvenience
Young argues that convenience and security are inversely related – that you can have one or the other but not both.
I quibble a bit with that idea – but not too much. I accept that most IT users experience real and perceived inconvenience when new or additional controls are enacted.
However, I have never been convinced that less convenience is the inevitable result of adding additional security controls. I argue that by rigorously identifying risk and vulnerabilities —and then judiciously identifying the controls to mitigate that risk — convenience doesn’t have to be traded off in all cases.
Tolerance among Senior Management
The inconvenience of end users is just a small part of the problem. The article argues that an organization’s most senior employees often have the lowest tolerance for inconvenience! (Can I get an “amen!”?)
Young gives one over-the-top example of a prestigious law firm where the senior partners refused to use passwords. It’s extreme, but I have seen numerous organizations where the executives were interested in security only insofar as it addressed outside auditor concerns to the most minimal degree possible.
Mission-Driven Cultures
Even more interesting is Young’s argument that organizations with mission-driven cultures often fail to prioritize security measures. Naturally, projects that obviously and directly contribute to the mission are nearly always prioritized over anything viewed as not directly critical to the mission.
Commitment to a common mission is one attribute shared by most successful organizations. But this positive cultural attribute also puts those corporations at risk.
Again, this occurs in my customer organizations on a daily basis. One telltale sign is the question, “Can you guarantee that the suggested control will not affect any end users?” I usually answer, “I can definitely answer that question if you can identify all of the end users of this application/data/program/etc., the interfaces each one uses to access the data, and the authority they require!” The answer is usually, “Oh, I don’t know that and it would take a lot of investigation to find out.” Rarely, if ever, is this followed by “but I’ll get that information.”
The implication is this: if I can’t automatically ensure that not even one end user will be impacted by the change, it will be too costly for the administrator to figure it out, and the suggested security control is therefore not worth implementing.
Unfortunately, changes like this are often forgone or put off indefinitely despite my assurances that 1) my recommendation is based on all available information about the application/data/program/etc. and 2) if, for some reason, applying the suggested control causes an unforeseen problem with an unforeseen user, we will fix it quickly.
The point of the example is that uninterrupted progress towards the mission is almost always prioritized over lowering security risk. I should note here that I usually deal with IT folks, so that’s where my examples come from. But culture is organization-wide and not limited to the IT shop.
Collaboration and Cultures
Unless managed very carefully, highly collaborative cultures are also prone to greatly increased risk.
In collaborative environments, data will typically be managed such that nearly anyone is authorized to critical data.
Don’t get me wrong. Collaboration is required and natural for some organizations. But, in today’s world, these organizations cannot safely ignore security requirements. There has to be a balance.
Ironically, “organizations that operate as a collection of independent business units” – the antithesis of collaboration, if you will – also have information security-related cultural problems. In organizations with this culture, it becomes difficult to maintain organization-wide communication and consistent standards. Difficult to manage, disjointed security solutions often mark these types of cultures and can significantly increase risk.
Fixing Cultural Drivers of Information Security Risk
How can an organization be more effective with information security management?
Changing organizational culture is never easy. You certainly don’t want to completely change a culture that has contributed greatly to the organization’s success. Instead, information security needs to be recognized as an equally important organizational objective in order for it to be embraced in the organizational culture.
Acknowledging data security as an organizational objective starts at the most senior levels. Once on board, senior executives must disseminate the message and model the desired behavior. They must also support those in the organization responsible for managing information security in spite of concerns that may arise from inconvenience to users.
Also of great importance is the need for management to measure whether the culture is changing and how much resistance exists to basic security controls. One of the most useful measurements is the level of knowledge of the organization’s information security policy. This is a direct measurement of the level of integration of information security into the culture.
Security policy should be “non-technical, risk-based, and aggressively” communicated throughout the organization. It describes the “ground rules for proper employee behavior and aligns disparate businesses with the organization’s overarching security strategy.” The information security policy is linked to a set of processes and procedures designed by “subject matter experts” and intended to enforce desired behaviors, and to prevent or identify unwanted behaviors.
A useful indirect measure of security as part of the organizational culture is password resilience. Periodically testing whether passwords are regularly changed or easily cracked will tell you if the culture is overly tolerant or that users aren’t worried about disobeying policy. The quality and age of passwords tells a lot about whether the culture is still leans more towards convenience than security.
The Bottom Line
Just as culture is organization-wide attribute, so too is information security. In order to achieve responsible, rational, and effective information security, it has to become part of the organization’s culture. Employees must believe that complying with information security policies, processes and procedures reinforces, rather than undermines, their organization’s culture.
