Taming the Rebels Without Roles
Every time I see the movie â€œRebel Without a Causeâ€ I think what James Deanâ€™s character would end up like when he went into the workforce. And I wonder how long he would last at most financial institutions.
Do you, as a information security professional feel like youâ€™re surrounded by rebels at your institution? Are some of them in your senior management? Well, those rebels and everyone else in your institution are the ones youâ€™ll be forced to tame to make your institution â€œpolicy centralâ€ and compliant with the slew of regulatory guidance citing information security training for all employees must be a part of your information security program.
To create that â€œsecurity cultureâ€ we all crave, there are three things youâ€™ll want to start with:
1. When you create your awareness and training program, ensure that it ties directly into the intrinsic value of being compliant with the regulations. Donâ€™t assume that your awareness trainees know what compliance requires, or that they only want to know â€œexactly how to be in compliance.â€ Try to lay out the reasons why the institution is asking them to behave in a certain way, and youâ€™ll see more acceptance from your employees.
2. When in doubt, draw it out. Make it clear where the institutionâ€™s boundaries of roles and responsibilities are when it comes to information security. Accountability for each employee in their respective roles, followed through and checked on via job performance reviews, internal audits, and other ways ensures that your employees are doing what theyâ€™re supposed to in their assigned jobs. Make information security, at least the reporting of any and all incidents, a part of all employeesâ€™ job responsibilities. Write it into your policies that all incidents must be reported as soon as possible.
3. Make those responsible for checking on the compliance of these policies a group other than Information Security. (The information security group checking on the compliance of their policies is akin to the fox guarding the hen house. This points to a conflict of interest no matter how ethical the staff is.) The best areas to perform this checking would be internal audit, a compliance group, or someone responsible for privacy, or as a last resort, an external auditor.
Your job is to convince your institutionâ€™s management of the need to establish a culture of compliance. This, along with communicating the message of security to everyone in your institution, establishing accountability for all staff, and holding them to it, along with regular checking for compliance with the security policies, youâ€™ll be on the right path to a culture of compliance.