I believe the most challenge topic while implementation ISMS is creating (or changing of existing one) new IS culture. In ISO27001 , we can refer to ‘Security awareness’ (A8.2.2) but it’s not the equivalent of organization culture.
The most important thing is to get support from your Management.
Don’t start your IT Security initiatives without this one. It will be nothing even you have many IT Security awareness tools.
1. Carrot and Stick
“Security awareness is a way of changing the IS culture. Once people are aware of the threats that are out there and how they can be affected, they will want to change their own behavior. This is much better than forcing them to conform to security standards by technical means.” – But it is not really true, in real world.
I’d rather rely on the “Carrot and Stick” – incentives.
- Make InfoSec-correct behavior part of the job description and hence the job appraisal. Make it part of the annual review and hence the basis for the bonus or annual raise. Chastise people for egregious behavior. Use well established principles of behavior management.
- Never the less, those technical controls are needed. Not only to deal with errors, oversights and omissions and the cases where people make honest mistakes, but to deal with the technical issues that don’t involve human behavior. Oh, and don’t forget “malicious insiders”.
- Logging, not least of all for the purpose of audit and demonstrating compliance, is also an essential technical control.
A good security-aware workforce is a wonderful thing, but people do what they think their job is, and if you don’t make it clear that security is a key part of their job, all that ‘awareness training’ is, to them, just more lip-flapping on the part of management; like fire alarm test days, they see it either as time off work or as an inconvenient interruption of their work.
The point here is that awareness training is of no use unless you measure its effectiveness. And, as I said, it is of no use unless you back it up with the “Carrot and Stick”.
It is certainly a challenge in several respects. Organizational cultures are easier to experience than to describe, and hard to change (influence is probably a better term in fact). Here are a few Hinson Tips:
- Culture is heavily influenced by management, especially senior management. This is one of the key reasons that genuine senior management support is considered essential when implementing an ISMS … which implies the importance of addressing senior management, helping them understand and appreciate the value of information security from the earliest opportunity.
- Corporate culture is also heavily influenced by powerful opinion-formers within the organization (at any level of the hierarchy), by internal communications and networks (both formal and informal), and by the wider business/industry and national cultures in which people live. These are influencable to varying degrees. A good awareness program will identify the people, themes, messages and mechanisms across all these areas.
- Culture is an emergent characteristic of the organization that is it is demonstrated by people’s actions and belief systems in practice, when they are behaving normally and not being watched, whatever the formal mission statements or fancy posters about corporate values may state.
- Security awareness posters, for example, are unlikely to be sufficient to change culture by themselves, no matter how sexy they appear.
- This includes management: it is no good management saying “Don’t share your passwords” if they share their passwords with their PAs, for example, as this is an example of cultural dissonance.
- Changing corporate culture may be viewed as a massive organization-wide change management activity. Anyone who truly understands how to do massive change management reliably can make a fortune! It’s a very complex and difficult topic, with many different approaches, some of which are complementary and others are conflicting. It’s also highly dependent on the specific context, plus the history leading up to the decisions to change. A serious information security incident, for example, might be the trigger to “do something” about information security which could include implementing an ISMS, but that’s a different starting point than, say, having a cost-benefit justified business case for information security, or legal/regulatory compliance pressures, or pressure from within (e.g. the CISO or ISM). Experience with whatever precedes the ISMS may be positive or negative, and to some extent can be used accordingly by selectively reminding people about and reinterpreting the history.
- Culture is a dynamic thing: it will continue to change or evolve after it has been (somehow) pushed in a certain direction, and that future evolution is not entirely controllable. This is the main reason that we promote the idea of rolling or continuous security awareness programs, since a single event will gradually be forgotten and awareness levels will decay unless constantly refreshed. Using a sequence of security topics is a good way to make sure that the materials remain interesting and engaging, along with having excellent awareness content prepare by people who understand the audiences’ needs. It’s also why we like using security metrics and news of security incidents, especially how they were addressed and resolved, in order to generate positive feedback and so continue driving the ISMS ever onward and upward. It requires management of perceptions.
True, but it’s the term commonly used for the practices needed to influence culture. Hopefully the next version of ISO/IEC 27002 will be more helpful in this respect.
Metrics are helpful, including suitable ‘cultural surveys’, plus various other feedback mechanisms to gather, analyze and learn from information security incidents and near-misses, compliance, attitudes etc. In short, find out what works badly and try to fix it, while doing more of what works well. Simpler to say than do!
Creating a security culture is a challenge, especially one that changes behaviors that you can measure. Here are some resources to help.
- You asked about verifying, here is a blog series on metrics for measuring the change of employee behavior in awareness programs. http://www.securingthehuman.org/blog/2010/09/29/metrics-1
- Free, monthly security awareness newsletters in five languages with new languages every month. http://www.securingthehuman.org/resources/ouch
- I teach a two day class on how to build, implement and maintain effective awareness programs. You can take this onsite or online. I teach this at least once a month. http://www.sans.org/security-training/securing-human-building-deploying-effective-security-awareness-program-1552-mid
- ENISA has some great resources also at http://www.enisa.europa.eu/act/ar