One of the unfortunate truths about any information security program is that it is only as strong as the most incompetent or ill-intended employee. History has recorded countless examples of financial businesses that spent millions incorporating state-of-the-art technology, policies, procedures, monitoring mechanisms and comprehensive training, only to have an employee do something that compromised the systems, the data or some business process. While there will always be a place for technology and governance, the fact remains that information security must involve everyone in the company.
This means not only setting the correct tone, but making sure that everyone knows their part and the consequence for violating the rules. The purpose of this tip is to provide concrete steps for financial organizations to create a culture where everyone not only participates, but contributes to the perpetual strengthening of the program.
Make the rules clear. This may seem painfully obvious, but it's amazing how many firms shortchange their training curriculum. Good information security training serves three purposes: To tell people the rules, to make people aware that they are being watched and, most importantly, to let people know that if they violate the rules they can be not just terminated but prosecuted as well. Therefore, when designing the training materials, look at it from two perspectives: the "good soldiers," who you want to be an advocate for the program, and the "bad guys" who you want to have recourse against if they choose to violate data confidentiality. Tell people exactly what they can and cannot do. Watered down training material without clear consequence is worthless.
Make it everyone's responsibility. Don't make training solely about do's and don'ts. Provide some creative ideas for people to think about ways that they can improve information security. Let people know that even the littlest things can sometimes bring real benefits to the program. The more that the average employees feels like they "own" part of the program, the more engaged and attentive they will be.
Create a culture of cooperation. Build information security considerations into key processes, particularly around strategic planning and change management. Let the message be that identifying a potential vulnerability is a good thing, because once it's identified it can be mitigated. Remember, the seeds of risk are sewn in strategy and the earlier potential vulnerabilities can be identified, the easier it is to mitigate the risk.
Make disclosure safe. Employees must be able to self-disclose when they perform an action that could or does expose data. The punishment for not immediately disclosing this type of action should be harsher than if someone takes accountability. However, any self-disclosure should lead to the development of an action plan to ensure that the operational failure can never happen again. In this way the organization can not only respond quickly, but remains perpetually self-healing.
Create social intolerance to data exposure. This starts with the tone from the top. Senior management must echo the position that sloppy data handling controls will not be tolerated, and data malfeasance will be prosecuted. When data incidents take place, no matter how minor, they must be dealt with quickly and firmly. If there is even the slightest hint that data security is a secondary priority the program is doomed. This may seem in conflict with safe disclosure, but there is a difference between simply making an honest mistake versus either malicious intent or blatant negligence.
Reward creativity. If someone comes up with a better business process, recognize them in a way that's comfortable to them. (Not everyone wants to be paraded across stage at the next "all-hands" meeting.) If someone comes up with a better control, also recognize them. If someone comes up with a better business process that is also a better control, reward them. Some people are just waiting to show you how brilliant they are.
Don't underestimate people's "gut." Despite all of the fancy technology, monitoring tools and control certifications, at the end of the day don't underestimate people thinking on their feet. Make it exceedingly clear that if anything just doesn't look or feel right that people shouldn't be afraid to tell somebody. It's amazing how many times an event takes place that others noticed and thought suspicious, but in the end assumed that the person was doing what they were authorized to do, only to be sadly mistaken.
A useful test of the size of the corporate army can be determined by taking an average employee, not a senior one, and querying them on their understanding of the information security program and their role. Sometimes we assume that people know, and taking ownership of, more than they do. But by setting a strong tone, clearly communicating expectations and encouraging a culture of openness and collaboration, companies can go a long way towards creating sound information security governance.
About the author:
Eric Holmquist is the vice president and director of operations risk management at Advanta Bank Corp. He has over 25 years experience in the financial services industry and is a frequent industry author and speaker. He is responsible for the development and oversight of the bank's operational risk management program. In addition, Holmquist chairs the operational risk management for IT committee through the Risk Management Association. He is the author of Risk-Sizing ORM – Scaling Operational Risk Management For The Small To Mid-sized Market, is a contributing author to Operational Risk 2.0 (2007) and The Advanced Measurement Approach to Operational Risk (2006).
