Mobilizing the Human Element: Creating a Secure Culture
The development of a secure computing environment requires high-level sensing, detecting, filtering, authenticating, encrypting, and authorizing equipment to be purchased and disbursed across an organization's appliances and systems. The process of establishing an enhanced security environment reaches well beyond physical equipment in an attempt to bring together an organization's most diverse component: its people.
This section considers the following topics:
Employee involvement
Management involvement: steering committee
Employee Involvement
It is becoming increasingly incumbent upon organizations to foster a culture that embraces security as an employee-initiative program, rather than a set of top-down rules imposed on users. Most employees have a genuine desire to maintain a positive working environment, and if they are informed about issues and understand what is at stake, they are more likely to become vigilant participants in the security process. Employee education can spell the difference between creating a security culture and merely installing equipment to build a security system.
Education can take many forms, but setting a tone can begin the moment an individual joins an organization. By incorporating security expectations in every job description, or statement of duties, individuals not only understand what is expected but also recognize the organization's commitment to having its employees accountable for security. The more prominence the statement is given on a job description, the greater its impact for each employee.
Orientation programs can be ideal forums to begin the process of disseminating security information, allowing new users to acknowledge the following policies of an organization:
Internet policy
E-mail policy
Hardware and software policy
Physical security policy
In recent years, organizations have become more diligent in checking business and personal character references during the hiring process. They delve deeper into resumes, substantiating employment periods, academic degrees, and other pertinent claims a prospective employee might make. Certain organizations are extending this practice to include contract, part-time, and temporary workers, ensuring that agencies that provide such people perform exhaustive identity checks before they are approved for work.
Management Involvement: Steering Committee
Organizations can have departments that are so diverse that it can be challenging to get its different factions moving in the same direction. From R&D and finance to warehousing and investor relations, finding common ground can be a challenge unto itself. While security is not the great leveler, it is an element that runs through every fabric of an operation. Every user is capable of wreaking havoc, and every individual is responsible for the sanctity of security practices.
Creating a security culture can be enhanced by the formation of an inter-departmental senior-level security steering committee. The direct involvement of leaders from distant groups can create positive ripple effects in the organization. Senior managers can do the following:
Bring pertinent issues to the fore
Be required to understand the needs of other departments, and the organization, in their quest to achieve a process that benefits all
Provide a reliable litmus test to determine whether potential solutions are overly restrictive and could result in negative implications, such as users circumventing the rules
Have a stake in the process, which makes them better equipped, and more inclined, to ensure implementation in their own departments
The steering committee concept can be a positive forum for senior managers to develop corporate policy in an area that is normally outside their sphere of influence. No single entity of an organization is an island, and bringing senior managers together under one umbrella can have a twofold effect: It can help to ensure the organization's security, and it can create an avenue for the pertinent corporate discussions that naturally ensue.