The June 2008 Hannigan Report on Data Handling Procedures in UK Government required a number of actions. One that stands out for me states that “Departments should put in place plans to lead and foster a culture that values, protects and uses information for the public good, and monitor progress, as a minimum through standardised Civil Service-wide questions in their people surveys”. What is very apparent is that little has been done to address this fundamental issue.
The development of a security ‘culture’ intrigues me. There are a lot of people (mainly academics and consultants) seeking to attain the intellectual high-ground in this area. This intellectual understanding (if it is indeed so) has not been translated into reality in many parts of government.
One of the prescribed roles in government is that of the Senior Information Risk Owner, or SIRO. Each SIRO is tasked with four main deliverables are follows:
- An Information Risk Policy
- An Information Risk Assessment
- Advice on the Statement of Internal Controls
The first three strike me as being straightforward. The final one is not. It causes me to ask the following questions.
What is ‘culture’? Why change it? How do you measure it so you know when to change it, and by how much?
So, it’s Wikipedia to the rescue with their definition(s) of culture:
- Excellence of taste in the fine arts and humanities, also known as high culture
- An integrated pattern of human knowledge, belief, and behaviour that depends upon the capacity for symbolic thought and social learning
- The set of shared attitudes, values, goals, and practices that characterises an institution, organisation or group
I reckon we’re looking at something that lurks between definitions 2 and 3. All the literature and studies I can find suggest that imposing culture does not work. Culture is not a ‘thing’ in itself - it is the result of many things happening at lower levels within an organisation. To change culture, you need to change the way people interact with each other. What is also a common thread in the literature is the use of terms I can only describe as ‘horticultural’. Examples include the already mentioned ‘nurture’, ‘foster’ and ‘cultivate’. It’s perhaps no coincidence that the Latin root of the word ‘culture’ is ‘cultura’, which in itself stems from the word ‘colere’ - to cultivate.
This leads on to the inevitable development of a series of horticultural metaphors relating to culture. A gardener seeks to develop an environment wherein things he wants to grow actually do grow. He seeks to discourage or prevent things that he doesn’t want to grow from growing. He wants to keep pests out, to stop them destroying the things he wants to grow. He is trying to provide the right conditions for his plants to do their stuff. He can’t do their stuff for them.
Given that cultural imposition is ineffective (history has too may examples of attempted cultural suppression that leads to fierce resistance and failure), if we want to change our organisational culture to one that has characteristics we want, we have to provide the right conditions. We can (to some degree) secure ourselves from pests - an anti-bird net is a fine metaphor for a firewall, as is a slug pellet. Providing safe conditions can be equated to providing feed (compost and minerals for example).
I think that the prime ingredient for a sound security culture is the example set by senior managers. This can probably fall into a ‘nurturing’ metaphor, but I know most metaphors fail to withstand close scrutiny and analysis, so I’m not taking it too far! This aside, the concept remains sound. Without the big players walking the talk, you will probably fail. People hate change, and if they see their seniors not doing what they themselves say people should do, they have the best reason for not doing it as well.
If you want to develop a successful security culture, you need to ensure the top brass act appropriately. They need to know how they should behave. You have to identify those behaviours you consider most appropriate to the security culture you want, and then encourage people to behave that way.
This issue is often made more difficult because managing a cultural change initiative goes beyond the normal bounds associated with information security management. You need to integrate with your HR function, your corporate governance bodies, your trades unions (if you have them) and many others besides. You are also asking people to change, which is one of the hardest things anyone can attempt.
There are some simple tips that make this a little easier. You need to understand what it is you want. You need to articulate this understanding clearly so that other people understand what you want. You need to communicate your understanding clearly, and try, wherever possible, to demonstrate that the change you are asking for brings benefits to those affected by them. You should also ensure a degree of continuity in the change process - if there are elements that are familiar in the ‘new’, it is likely to be more readily accepted - unfettered radical change that misses this trick is very hard to accept - mainly because it will feel like imposition, and we know that rarely works.This issue is going to grow and grow. Start cultivating now.
