Perhaps more than any other society, American culture looks up to and honors the rebel, the independent thinker and the successful deviant. Where else would hackers, who go to jail repeatedly for their crimes, be the celebrated cause for a counter-culture movement?
In a culture such as this, compliance with laws, regulations, policies or any other rules coming from the establishment look to many people boring and deadening. In the eyes of some, the person who complies has sold out, has been defeated by the system. It is into this larger societal conversation that we information security practitioners are sending our training and awareness messages, and it is no surprise that non-compliance has been, and continues to be, rampant.
While all information security professionals will no doubt acknowledge that their organizations have compliance problems, few have investigated the specific ways that their organization's corporate culture actually fosters non-compliance. How an organization approaches rules, approaches compliance and checks on compliance will have a profound impact on the success or failure of an information security effort. Unfortunately, culture-shifting efforts are most often not an official part of the Information Security Department's budget.
To help build a corporate culture that is truly supportive of compliance, I suggest three important endeavors:
- First of these is an awareness and training program that speaks directly to the merits of being in compliance with laws, regulations, policies, standards and other rules. Too many training and awareness efforts assume that the recipients of information security material are on board with the notion of compliance, that they only want the details of how to come into compliance.
- Second amongst these is the clarification of roles and responsibilities when it comes to information security. We need to be very specific about accountability. We need to follow up via performance reviews, internal audits, automatic vulnerability identification software and other checking mechanisms, in order to make sure that people are delivering in a manner consistent with assigned roles and responsibilities. This means that job descriptions need to explicitly include information security tasks. These tasks need to appear not only in the job descriptions of technical specialists, but also managers and end users.
- The third of these suggestions for establishing a corporate culture conducive to compliance involves the funding for compliance-checking jobs (be these people internal employees, consultants, contractors, whatever). The Information Security Department in general should not be tasked with this compliance checking because it would be a conflict of interest. It is the Information Security Department's role to develop draft rules, and to develop a consensus around these draft rules. It should not be the Information Security Department's job to check its own work. This checking should instead be done by an Internal Audit Department, a compliance group in the Legal Department, a Chief Privacy Officer (generally also in the Legal Department), external auditors and/or others.
Only when management truly sees the need to establish a corporate culture of compliance, when they have actually communicated that message to the rank-and-file, when they have begun to hold people accountable for results and when they provide funding for compliance- checking can we expect to see the beginnings of a corporate culture conducive to compliance with information security rules.
MORE INFORMATION ON POLICY COMPLIANCE
- Read this tip, also by Charles Cresson Wood, on how action-forcing mechanisms encourage policy compliance.
- Learn how some companies are using employee dismissal to set an example for policy infractions in this article, Pink slips motivate policy compliance.
- There are important factors you should consider before investing in a policy-compliance tool. Learn about those factors in this column.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of Information Security Policies Made Easy. You can reach him at firstname.lastname@example.org.