Culture vs Governance
“It takes a village to secure a village” means security is expected behavior of any good corporate citizen. On the security side, we often hear strategy, solution, governance, planning, and controls. But what seemed to miss in the whole picture is how to influence security behavior in the organization. If security has not been taken seriously, does the corporate policy really matters all that much to an employee?
Recently, in another security conference, the same message about influencing cultural change been the primary objective of any CISO was re-iterated. So is there a gap between existing employee behavior vs expected secured corporate culture? Lets see if we can point out some difference between governance and culture today.
Governance : Employee should not disclose sensitive data information outside of the corporate network.
Culture : The only way I can handle my work load is if I bring my work home on my own personal device.
Governance : Employee should follow the information security guideline.
Culture : Security guideline can be re-evaluated when it comes to doctors and board room executives.
I once asked a very senior CISO, “what is information security governance?”. In his own words, “…governance is a framework that define plan and strategy to achieve balanced information security objectives.” However, with so many conflicts between security guidance vs organizational culture, what is the right governance for a business?
Then this article (http://www.tlnt.com/2012/01/16/4-reasons-why-culture-is-more-important-thank-strategy/) pops into my browser. The key points are…
1. Culture is more important than strategy
2. Companies who align culture and strategy are more successful
3. Encouraging individual, cultural attributes are the keys
4. Maintaining a successful culture takes careful attention and hard work
Between what we have to do (compliance) and what we tend to behave (culture), the article left me with two questions :
a. How do we make corporate culture an integral part of security governance?
b. How will security helps transform business to be more successful?
There is no definitive answer from me at the moment, though I do welcome any comment from anyone who read my blog.