Do as you say others should do!

Andreas Dannert

President of ISACA Melbourne Chapter


How can an organisation implement good security if its leaders are not living it and employees are not aware of it?

I don’t think it is possible without running the risk of spending too many resources on implementing security and maintaining it.

You need to be technically secure, but you also need to cultivate appropriate, secure behaviour. Just as you teach your children to look both ways before crossing the street, role modelling this behaviour yourself, you need to do the same in an organisation.

My assumption here is that an organisation can only be effectively secured when it takes into account technology, processes and people equally. Take out one and the organisation is unnecessarily spending more than it needs to on the other two—and potentially compromising security over all. With this in mind, the setting the right security example at the top of the organisation is essential.

There are several issues that emerge from not living a security example, demonstrating good security behaviours—just as there is from not demonstrating to your kids how to cross the street. Failing to ensuring the organisation as a whole is embracing good security behaviour can be costly.

Whenever I am consulting in an organisation and I notice it doesn’t ‘live its security’, I often find that it is implemented as an afterthought. Good security is implemented or whole heartedly. I am not referring to budget. Setting the right tone within an organisation, when it comes to security, will reduce security costs and improve security without spending more.

Treating security as an afterthought typically leads to situations where security is retrofitted to solutions. It should be a central part of the design. As a result, more complex solutions get implemented and complexity—the enemy of security—gets introduced.

When you are on the defending side, you want to have the best visibility. Complex solutions are hard to validate and maintain.

By failing to live security at senior levels you create a issues that can cost an organisations. Let me explain with some examples.

Security as an afterthought. Too often I’ve seen IT projects remembering last minute that security needs to be factored in as part of the application or system being implemented. As a result, code reviews of applications are done late, the architecture only gets reviewed after the application is implemented, and the security architect is involved for a quick, ‘five minute feedback session’ just prior to signing the contract. These approaches are doomed to fail and cost more. Time and urgency is no excuse. This puts the organisation at risk.
It would be easily mitigated if security was always a central function of the project.

The sooner security is considered the less costly it will be. If leadership is not highlighting its importance by, for example, not having a CISO or equivalent in the organisation, it’s sending the message that security can be implemented somewhere down the line.

No security awareness. The second scenario I come across is poor security awareness. There are two reasons for this. When security culture doesn’t exist, it’s clear the organisation’s leadership underestimates the power of living its security’.

Common examples highlight this quickly, such as how easily you can tailgate staff in through the front door. Usually, too easily. If senior executives can approach employees they don’t know without a security badge clearly visible (for example) asking them to display it visibly or directing them to reception to check-in, they not only increase their organisation’s security, they also send a message that is quickly noticed by others.

This can be achieved more broadly by having senior management set other examples, modelling the security they desire. Another more frightening example I’ve seen is the CFO who didn’t protect his smartphone with a pin. Apparently he never kept any sensitive information on it, but he forgets that anyone using his phone to, for example, send a phishing email would have likely had a great success rate.

He was not only risking someone stealing his phone and maliciously uses it, he was also role modelling the behaviour to fellow employees that protecting your personal devices is not important if there’s no information on it.

Not setting tone for security issues. The tone adopted by leadership in relation to security, affects the way it is portrayed throughout the organisation. When senior managers are talking about security as a burden, they fail to convey the value of security and undermine good secure behaviours. Policies are good examples. They are often seen as a necessary evil required by auditors or regulation, not because they can effectively steer the organisation’s stance and processes. If security policies were instead used as a tool to guide the way everyone in an organisation should approach security, their implementations would be underpinned by the right messages and information to help people understand what the organisation is trying to achieve.

Organisations with good connection to their policies use these as a powerful to consistently affect the overall behaviour of organisation, making changes for the better.

Security maturity in an organisation is only achieved when organisational leadership mandates security and lives up to it at every level. This includes putting security in the spotlight by having a role such as CISO. Without these you are setting the wrong tone, ignoring secure culture and sending the wrong messages to everyone within the organisation.

This article was brought to you by Enex TestLab, content directors for CSO Australia.


Tags: IT Security, blogs, security awareness, Treating security

Show Comments