Is Compliance Compromising Your Information Security Culture?
Individual organizations spend millions per year complying with information security mandates, which tend to be either too general or too specific. However, organizations focusing solely on compliance miss the opportunity to strengthen their information security culture. This blog post will explain the benefits of information security culture and demonstrate how compliance with information security mandates may prevent organizations from achieving their full information security culture potential.
What is information security culture? Why does it matter?
There is no single, accepted definition for information security culture. Generally speaking, it can be defined as the "way [information security] things are done" at an organization. Information security practices are acculturated when everyone at an organization knows how to identify information security-related issues, knows what to do if they encounter an issue, and then responds to it appropriately. In other words, information security culture is an information security program manager's dream.
There are many benefits associated with having a strong information security culture, aside from happy managers and better information security program management. Organizations with strong information security culture have employees that exhibit improved situational awareness and increased resistance to social engineering attacks. These employees are also more likely to have compliant intentions (i.e., they want to comply with their organization's policies) and are more likely to identify and report information security incidents when they see them.
Information security culture factors
One might expect compliance with an exhaustive standard, like PCI-DSS, to help an organization improve its information security culture. However, empirical research (see Further Reading) shows only a handful of factors contribute to an organization's information security culture:
- Senior management support
- Information security policies
- Information security training
- Information security program management (compliance, monitoring, and auditing activities)
Unfortunately, information security mandates do not always incorporate these factors. When they do, they mandate them in a fashion that is not likely to produce a strong cultural effect.
Issues with mandates and information security culture factors
In my master's thesis, Information Security Culture Factors Assessment of Federal Regulations and Private Standards, I examined a small collection of private standards (ISO 27001, PCI-DSS, NERC CIP) and federal regulations (HIPAA, GLBA, FISMA) to see how they mandate the aforementioned information security culture factors. In the end, I found significant differences between the document types. The federal regulations tended to be more interpretive, whereas the private standards tended to be more explicit. Overly generic or overly specific mandates can be problematic for information security culture because an organization may miss the opportunity to enhance its culture if it follows the letter of these mandates alone. This concern specifically relates to observations I made concerning issues like information security policies, training requirements, and executive position mandates.
Issue: Overly generic information security policy requirements
Most of the documents I analyzed require organizations to have information security policies, but the federal regulations contain few, if any, requirements for the contents of those policies. The regulations miss the opportunity to require organizations to incorporate culture-strengthening elements into their policy documents. Organizational culture research suggests companies with clearly articulated qualitative beliefs have stronger culture, so organizations should use their policies to express the vision for their information security program. This could mean including something, such as an affirmation of senior management's support of the program, to demonstrate the importance of information security to the entire organization.
Issue: Overly specific training requirements
The private standards I analyzed mandate that organizations train users at specific intervals or for certain skills. Information security training is essential to strong information security culture, but organizational training literature indicates training programs should be adapted to suit organizational needs. This means organizations are more likely to achieve better outcomes, and stronger information security culture, when they implement customized training programs. For example, while an annual phishing training requirement may sound reasonable, the requirement may not be effective at all organizations. Organizations must be willing to train more often, and for more skills, if they expect to create an environment in which users can identify and respond to information security issues appropriately.
Issue: Mandating new executive roles
Some of the regulations analyzed require organizations to create specific senior leadership positions, like the Chief Information Security Officer (CISO) role. Organizations cannot have strong information security culture without senior management support, but there is little research on the positive effect that CISOs, and other designated information security executives, have on information security culture. One study suggests CISOs struggle with legitimacy issues and do not have a significant impact on their organization's information security culture. Organizations should not rely solely on newly installed information security executives to create an immediate impact on their institution's information security culture. Instead, they should also encourage established executives to assist in the cultural transformation process.
Compliance is the baseline, not the goal for information security culture
Compliance will always be an objective for information security programs, but a checklist approach to information security can only achieve, at best, a checklist culture. We cannot expect compliance with any mandate, private or federal, to help organizations develop strong information security culture because information security culture factors, like training, must be tailored to each environment.
Organizations interested in improving their information security culture are encouraged to adopt verified information security culture practices and to periodically assess their organization's culture using validated tools, like the HAIS-Q, to determine if those practices are effective. Organizations are already spending considerable resources on their information security programs, so they should consider investing in their own culture if they want those programs to be more effective.
Please contact the SEI to obtain a copy of my master's thesis, Information Security Culture Factors Assessment of Federal Regulations and Private Standards.