Information security strategy, not technology, determines the maturity of the information security culture and behaviour in an organisation.
It is necessary to start with a brief side journey into what is meant by ‘strategy’. A strategy is not a plan, nor is it a technology. Strategy is about making choices in order to change behaviour. In the context of information security culture and behaviour, strategy largely should deal with the interaction between the way individual intentions, workplace culture and organisational systems interact to elicit observable behaviour.
For example, an insider threat breach is a product of the way an individual intention (influenced by values, attitudes, commitment, responsibility, experience and emotions) to, inadvertently or maliciously, divulge sensitive information interacts with culture (shaped by perceptions of shared values, history, justice and fairness) and systems (the demands structures, policies, procedures and practices) to produce the observable behaviour of a security breach. Information security strategy seeks to positively influence this interaction.
There an anecdote that expresses a view that our world rests upon an elephant and the elephant stands upon the back of a turtle. The obvious next question is what does the turtle stand on? The answer is that is it is turtles all the way down. The same is true of information security our working world rests on the technology but from there on it is people all the way down. We tend to lose sight of this when we define both the problem of information security and our solution through the lens of technology alone.
What then are the contours of a good information security strategy?
- It puts people, culture and behaviour at the centre of strategy. It works to maximise the interaction between intention, culture and systems to generate positive workplace behaviours that add adaptability and resilience to the information security system.
- It seeks to broaden information security cultural and behaviour competence and capability by influencing the individual intention. In contrast, current approaches focus on controlling observable behaviours without addressing how people think about information security. If you don’t motivate people think differently you don’t change their behaviour.
- It integrates all the available resources. The objective is mutually supporting lines of activity lead to a desired outcome. An over-reliance on training or monitoring is unlikely to produce a sustainable effect.
- It identifies and manages risk rather than evoking ‘big brother’. The Hayne Royal Commission into the financial sector has very clearly demonstrated the risk of misaligned organisational culture to performance and reputation. Culture and behaviour are not a ‘soft’ strategy option to be given tepid executive attention. Together, they represent either a significant strategic strength or weakness. The ‘big brother is always watching’ compliance approach has its place but alone it potentially causes more harm than good.
- It needs to be led from the top not delegated to the next available functional head. The breadth, depth, and adaptive nature of the information security challenges requires constant and visible attention from the top. Leaders give permission for positive behaviour in the workplace and provide the incentives that reinforce those behaviours. It’s turtles all the way down.
There is a need to re-imagine the place of people and culture as central to information security practice and behaviour. The problem is adaptive and the strategic solution needs to be equally adaptive.