From compliance to resilience: people, culture and information security
February 25, 2019

Our attention is drawn to destructive cyber-attacks such as WannaCry and NotPetya that give us a glimpse into what sophisticated and malicious attackers can achieve in our interdependent information systems. However, simple exposure of stolen materials such as ‘Collection #1’ which provided over 21 million unique user passwords, shows that such outcomes are not restricted to expert hackers.

The human is both an asset and liability in information security. Our information security culture often views the human with deep suspicion. Human behaviour is seen as malicious, complacent, and/or ignorant. This shapes our organisational actions and creates a culture and behaviours that are often counter-productive. This leads us to position the human contribution to information security system in a very specific way. And, maybe, this is the problem.

Language is revealing, structure is persistent, people adapt

The language used to describe people as part of our information security systems is revealing. We talk about ‘social engineering’, ‘patching the human’, and building the ‘human firewall’. The sense is that we are wiring the human into the machine as just we would another technology component. In doing so, we limit the capacity and capability of the most adaptable part of our organisations to adapt and respond.

We need to take a step back to look at our organisations with clear eyes. The information technologies we have been importing into our organisations over the past 25 years brought with them an alien organisational philosophy. This philosophy entered a highly adapted, industrial-age organisational and social architecture. The technology has changed, and continues to change, the way our organisations function and the way we work but the scaffolding of the older structure remains in place. Organisations and workforces take considerable time and effort to rework.

The workforce is the first to feel the incongruities, the tensions, and disorder as the new clashes with the old. The possibilities of the new ways of working and organising run up hard against the ingrained habits of known process, practice and procedure. They clash with the scaffolding of the older, dominant organisational culture.

In all organisations, people are the shock absorbers that mediate between a changing environment and an organisation’s capacity to adapt. The workforce is the organisation’s buffer against uncertainty. It is also the principal way an organisation absorbs change and adapts.

Compliance a defining feature of information security culture

In positioning people as just another interchangeable part in the information security machinery, we establish a compliance-based culture grounded in control. We have listed the characteristics of this culture below. This information has been gathered from talking with information security professionals and users.

People often express a tension between their ability to contribute positively to information security and the expectations of security culture. This contributes to a reserved or passive attitude to information security. A positive situation would be that the contribution people want to make to information security and the expectations of culture are mutually reinforcing. In our experience, this is a rarer observation.

The features of a compliant information security culture are:

  • Information security is seen as regulation and a set of rules to be followed, with little understanding or attention as to why it is significant.
  • Information Security is perceived as a ‘technical’ solution – in which people and culture are just one of many weak links to be addressed.
  • Leaders, managers and employees do not feel empowered to take an active part in security, but rather feel enforced to comply.
  • ‘Minor’ breaches or ‘odd’ behaviour are not seen as significant, and therefore of no real consequence, so no action is taken.
  • When breaches occur, there is little understanding of the potential implications, and how to use that occurrence as a learning opportunity.
  • There is not a feeling of individual or collective accountability for information security.
  • The practice of information security is punitive, and policy based.
  • The information and tools that inform a protective security culture become rules-based and are both impenetrable and incontestable.
  • Reputation management and the secrecy of breaches is central to sustaining an internally focused culture.

A compliance culture stems from a management approach that sees people as sources of weakness that cannot be trusted, requiring close supervision, lacking in commitment, and behaviourally compliant. It is from this cultural mindset that we get the language like ‘patching the human’.

Toward a positive information security culture

Today, we are doing what is managerially easy. There is less risk and less effort in building a compliance culture. But we know that training for compliance does not work, cultivated apathy does not help, and coercion often begets unintended behaviours.

Changing culture is not a ‘technical’ task to be engineered into place. It requires an understanding of how motivation, incentives, leadership and governance interact to trigger behaviours – desired and undesired. Shaping a positive information security culture and behaviours is a combination of a person’s motivation, ability, and perhaps most importantly, the permission to behave positively.

There is a way forward to a more positive approach to information security that places people and culture at the centre of an information security system that is more resilient, adaptive, and effective.

David Schmidtchen, Executive Director