Cutter Consortium :: How Do I Know If I Have a Culture of Security?

About the Service

Related Products & Services

28 April 2005

HOW DO I KNOW IF I HAVE A CULTURE OF SECURITY?

by Julia Allen

There has been a recent explosion in information security problems, lapses, and scams. For example, the company ChoicePoint, a premier provider of decision-making intelligence to businesses and government, revealed in February 2005 that a major security lapse "enabled fraud artists posing as legitimate businessmen in Los Angeles to access personal information about at least 145,000 people around the country" [1].

According to Bruce Schneier's Weblog on security and security technology: "ChoicePoint's behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October 2004, and it didn't tell any victims until [four months later]. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn't require it). Finally, after public outcry, it announced that it would notify everyone affected" [2]. In a bit of irony, according to Schneier, ChoicePoint Chairman and CEO Derek V. Smith states that "ChoicePoint's core competency is verifying and authenticating individuals and their credentials." What's more, on its Web site (www.choicepoint.com/about/overview.html), ChoicePoint claims it "strongly promotes the responsible use of information as a fundamental plank of its business model, including strict standards regarding the use and dissemination of personal information."

The ChoicePoint example, along with those at LexisNexis, SAIC, Bank of America, and many others, demonstrate the need for competently and effectively addressing security within and among organizations. These incidents have also served to grow the public's awareness of security issues. Customers, their concerns about privacy and identity theft rising, are increasingly demanding that companies improve their security capabilities. Business partners, suppliers, and vendors are requiring better information security from one another, particularly when providing mutual network and information access. National and international corporate regulators are calling for organizations (and their leaders) to demonstrate "duty of care" with respect to security.

It was the 2003 California Senate Bill 1386 that forced ChoicePoint to notify its customers, thereby making the security breach publicly visible. Without it, who knows whether customers would ever have been notified. Even with the law in place and ChoicePoint's action, a question worth asking is, "Was there a 'culture of security' present in ChoicePoint at the time of the security breach?" If not, is the company intending to create one today? And what does it mean to have such a culture?

Ernst & Young's 2004 Global Information Security Survey states [3]:

Ultimately, information security is a human enterprise, as demonstrated by respondents citing "lack of security awareness by users" as the top obstacle to effective information security. No amount of technology can reduce the overriding impact of human complexities, inconsistencies, and peculiarities. Any strategy that overlooks this realization is inherently flawed. With proper training and education, people can become the most effective layer in an organization's defense-in-depth strategy. The first step is making sure they operate in a security conscious culture [emphasis added].[4]

Culture is defined as the predominating and shared attitudes, values, goals, behaviors, and practices that characterize the functioning of a group or organization. So how do I know whether there is a culture of security within my organization and within the partner organizations to which I've granted network access?

For the past 18 months, Carnegie Mellon University's Software Engineering Institute has conducted in-depth discussions and interviews, workshops, and field work with a wide range of organizations committed to improving their security capability. Based on this work, they've identified the following set of beliefs, behaviors, capabilities, and actions that consistently indicate the presence of a culture of security:

Security is addressed and enacted at an enterprise level. C-level leaders understand their accountability and responsibility with respect to security for the organization, for their stakeholders, and for the communities they serve, including the Internet community.
Security is treated in the same fashion as any other business requirement. It is considered as a cost of doing business, not a discretionary or negotiable budget line item that needs to be regularly defended. Business units and staff don't get to pick and choose how much security they want. Adequate and sustained funding and allocation of resources are a given.
Security is addressed during normal strategic and operational planning cycles. Security has achievable, measurable objectives that directly align with enterprise objectives. Determining how much security is enough equates to how much risk and how much exposure an organization can tolerate.
All functions and business units within the organization view security as part of their responsibility. The leaders of these entities understand that their performance with respect to security is measured as part of their overall job performance.
Security is integrated into functions and processes for risk management, human resources (hiring, firing), audit/compliance, disaster recovery, business continuity, asset management, project management, and IT operations. Security is actively considered as part of project initiation and ongoing project management, and during all phases of any software development life cycle (applications and operations).
All personnel who have access to enterprise networks understand their individual responsibility with respect to protecting and preserving the organization's security condition. Rewards, recognition, and consequences with respect to security policy compliance are consistently applied and reenforced.

While the statements in the list above are in roughly priority order, determining which are most important depends on an organization's own culture and business context. C-level leaders committed to establishing and sustaining a culture of security can use these statements to determine the extent to which such a culture is or needs to be present in their organizations.

-- Julia Allen

[Note: Julia Allen is a senior researcher at Carnegie Mellon University's Software Engineering Institute's CERT(R) Coordination Center. One of her research objectives in addressing enterprise security from a governance and cultural perspective [5] is to determine arguments and language that speak to the concerns of senior executives. In recommending that organizations adopt a culture of security, she is interested in responses to the following questions:

Do you agree or disagree that there is a need for a security conscious culture in your organization?
For you, is the list above sufficient, or are there other characteristics that demonstrate that a culture of security exists in an organization?

Please contact Julia Allen (jha@sei.cmu.edu) with your questions and comments.]

References

[1] Washington Post, "Data Under Seige," 10 March 2005.

[2] "Schneier on Security," 23 February 2005.

[3] Ernst & Young. "Global Information Security Survey 2004."

[4] The Organisation for Economic Co-operation and Development (OECD) discusses the need to develop a 'culture of security' in its "Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security." OECD, 2002. Formed in 1961, the Organisation for Economic Co-operation and Development (OECD) is a unique forum where the governments of 30 market democracies (including the US, UK, Australia, and most members of the EU) work together to address the economic, social, environmental, and governance challenges of the globalising world economy, as well as to exploit its opportunities. The OECD produces internationally agreed instruments, decisions, and recommendations to promote rules of the game in areas where multilateral agreement is necessary for individual countries to make progress in a globalised economy. The OECD is one of the world's largest publishers in the fields of economics and public policy. For more information on the OECD, refer to http://www.oecd.org. [5] http://www.cert.org/nav/index_green.html; Governance portal (R) CERT is registered in the US Patent and Trademark Office by Carnegie Mellon University.

How Do I Know If I Have a Culture of Security?

SITEMAP SEND FEEDBACK NEED HELP?

Cutter Consortium, founded in 1986, is a global IT advisory firm helping organizations forge solutions to the business technology challenges they face. Through its research, consulting, and training, Cutter assists enterprises as they create, implement, and maintain IT systems and organizations that support business objectives and encourage innovation. Cutter pushes the thinking in the field by fostering debate and collaboration between thought leaders from different domains, countries, and disciplines. As a completely independent entity that has no special ties to vendors, Cutter Consortium is beholden to no one and dedicated to providing completely objective, unbiased information to its clients. Cutter Consortium gives you access to the top thinkers in IT.

Cutter Consortium, 37 Broadway, Suite 1, Arlington, MA 02474, USA. Phone: +1 781 648 8700, Fax: 781 648 8707