Security School page.
When looking to create or expand information security reporting to senior management, often times the biggest challenge is not technical but cultural.
Business managers can be hesitant to have areas of risk highlighted for fear that they will be perceived as not doing their jobs. Lawyers are often nervous that putting vulnerabilities in writing could ultimately be used against the organization. And managers are sometimes hesitant to tell senior management too much, fearing the managers won't understand the information they are given, but recognizing that it represents a significant risk, will feel obligated to give arbitrary directives in a misguided attempt to solve problems they don't fully understand.
While these are all realities that we as security and compliance managers live with, they are ones that mature organizations must push past if they are to holistically manage information security risk and compliance.
Contrary to what many believe, when seeking to address security and compliance weaknesses, knowledge is power and transparency is good. However, to successfully evolve beyond cultural barriers to effective information security reporting, a strategy is required. The following are some time-tested solutions to address these cultural barriers that often stifle effective information security risk and compliance management.
Tips for fostering a compliance culture
English only please – Unquestionably, the most critical make-or-break factor in information security reporting is language. Simply put, any report, whether in scorecard or narrative, must be limited to basic business terminology. No IT terms, no obscure acronyms, no exceptions -- ever. An IDS system or other gateway device may produce a wonderfully detailed 20-page technical report, and while that may be helpful to technical staff, they should never see the light of day in an executive report. Instead, require these data owners to summarize their reports as succinctly as possible using language that someone who has no familiarity with technology would understand.
Make disclosure safe – The second most critical factor is to create an environment where disclosure is safe. Meaning people must be allowed to express both their observations of potential risk as well as operational failures without being persecuted, and managers must foster an environment where such disclosures are encouraged. For observed risks, the focus must be on an assessment of the risk and an analysis of response options. For failures, the focus of the reporting needs to be 1) what happened, 2) what is being doing about it, and 3) what could be done so that it doesn't happen again. Blame is the mortal enemy of collaboration, so any disciplinary action must be done privately. Once people begin to realize that risk and failure can be brought up for healthy discussion, more and more risks will suddenly come out of the woodwork and that is a healthy thing.
Focus on solutions – Simply put, make sure any material risk that is reported to management includes a management-level assessment of that risk and a plan of action (or, at minimum, a series of options). Highlighting a risk in isolation can be paralyzing and is often interpreted that people aren't doing their jobs. But presenting risks with a variety of solutions is empowering and reinforces the fact that people are on the job.
Let them make decisions – When presenting information on the state of the information security program and compliance, give management the opportunity not only to provide input, but also to make decisions. Even if this means simply submitting a menu of choices for a given area of concern, this engages them in the process and builds ownership. This may seem risky (Who wants "pointy-haired bosses" actually making decisions?), but it really does work to build engagement if risks are explained clearly and options area detailed out. Trust me, engagement is very good.
Start small – The fact is that most organizations can't go from nothing to a detailed scorecard in one pass; It just doesn't happen. Start small by focusing on more innocuous data points that allow management to take action (training completion, third-party governance, etc.) As management becomes more comfortable with the reporting cycle, move to more sensitive areas, such as open audit issues, control failures, operational incidents, risk heat maps, etc. (The latter having more direct association with specific business areas.)
In the end, the goal is to create a compliance culture through dialog and engagement. Start small, being exceedingly clear and keep pressing. Eventually people will realize these topics are more approachable then they thought and that creating forums for discussion with a range of constituencies is healthy for the organization, ultimately creating a compliance culture that will serve an organization well.
About the author:
Eric Holmquist is a principal with consulting firm Holmquist Advisory. He has more than 25 years experience in the financial services industry and is a frequent industry author and speaker. As the former vice president and director of operations risk management for Advanta Bank Corp., he was responsible for the development and oversight of the bank's operational risk management program and its information security strategy. In addition, Holmquist chaired the bank's MIS council, an oversight group that provides governance with regard to standards, methods and production of financial and operational reports and the management of enterprise data.
This was first published in January 2011