The point has been made again and again and, as per the Forcepoint 2016 Global Threat Report,1 humans are still the weakest link in security. It is, therefore, essential that information security professionals acknowledge and address this problem. Resolving problems within the human workforce is complex, challenging and daunting, but it is definitely not an insurmountable task.
Addressing modern workplace and workforce challenges, coupled with the growing threat landscape, requires dynamic, out-of-the-box approaches. Traditional approaches such as deploying learning management solutions or conducting a one-day workshop on information security no longer solve the problem. To effectively create and implement a culture that clearly understands the risk and is open to managing risk factors, the people in an organization and the environment in which they are operating must effectively support information security strategies and objectives. This article discusses how to develop and implement a behavioral competency model that enables achievement of information security objectives and describes how COBIT 5 can be leveraged to build and model information security behaviors.
Importance of Organizational Culture to Business
It has been proven repeatedly that “Culture eats strategy for breakfast.”2 It is practically impossible to introduce and sustain a positive change in any function of the business without aligning the organizational culture to strategy. Similarly, this is the case with information security. In order to enable a workforce that understands and practices security as part of daily work life, the organization must implement systems and mechanisms to drive the change and achieve the results it is seeking.
What Is Organizational Culture?
Organizational culture is a system of shared assumptions, values and beliefs that governs how people behave in organizations. These shared values have a strong influence on the people in the organization and dictate how they dress, act and perform their jobs. Organizational culture is also defined as the organization’s immune system that protects the corporate “body” from unhealthy thoughts and deeds. It is an extremely important element for information security professionals.
Human behavior and organizational culture—Humans are the building blocks of any organization and they have considerable impact on its culture. In fact, human behavior and organizational culture are so intertwined that they are both a cause and effect of behavior. Figure 1 illustrates the general factors that affect human behavior at work, as they feed into culture.
Figure 1—Factors Affecting Organizational Culture
Source: Mohammed Almahmoud. Reprinted with permission
Factors affecting culture and human behavior—Of the various factors affecting organizational culture, leadership is the most critical in driving organizational change. In today’s workplace, everybody is expected to exhibit leadership capabilities in the function in which they operate. A failure of leadership means a failure of everything within the organization.
COBIT 5 and Culture
Of the various governance frameworks and standards that are available in the market today (Organisation for Economic Co-operation and Development [OECD], World Business Council for Sustainable Development [WBCSD], Capital Market Authority [CMA] in Saudi Arabia, Securities and Exchange Board of India [SEBI] code on corporate governance, to name a few), COBIT 5 is one that acknowledges the importance of culture, ethics and behavior in the overall achievement of organizational objectives. COBIT 5 also clearly underscores the various interdependencies among culture, ethics, behavior and other enablers, as shown in figure 2.
Figure 2—COBIT 5 Enterprise Enablers
Source: ISACA, COBIT 5, USA, 2012
Effective implementation of COBIT 5 within an enterprise relies on organizations having complete knowledge of the current organizational culture—an understanding often lacking in many. Once the current operating culture of the organization is understood, the focus can then move from where the organization is, to where it is going and where it wants to be, using behavioral modeling. The Center for Creative Leadership (CCL) model of understanding the current organizational culture is quite useful in this regard.
CCL Organizational Culture Operating Model
The CCL developed a model of organizational culture that divides the operating culture into the 3 areas described in figure 3.
Figure 3—Operating Organizational Cultures and Their Features
Source: Center for Creative Leadership. Reprinted with permission.
Dependent leadership culture
Hierarchical, conservative. Technical expertise is rewarded and success is based on loyalty.
Independent leadership culture
Decentralized decision making. Cross-functional knowledge sharing is prohibited; adaptable, individual performance is rewarded. Synergizes only the individual organization functions.
Interdependent leadership culture
Openness and candor. Cross-functional knowledge sharing is enabled; synergy exists across the entire enterprise.
How to Analyze Culture
Humans behave well in a supervised environment. However, to really understand the operating culture of an organization, the authors conducted research in which they observed the way each and every function of an organization operates under the guise of benchmarking service standards. (Management clearance was obtained before conducting the research.) The observations were based on the following artifacts, which are generally represented in any organization’s culture:
- Decision making
- Working styles
Once the operating culture of the organization was identified, the needs and efforts required to reach the desired operating level were documented. Information security practitioners must be cautious when doing this as not all organizations’ needs and goals are the same.
Findings should be supported with objective reasoning and evidence wherever applicable, as shown in figure 4. This was done at every functional level, to provide granularity. The overall operating culture was calculated as follows:
Figure 4—Example Method of Supporting Documentation
Source: G. Kannan and V. Sivasubramanian. Reprinted with permission.
If dependent leadership culture > independent and interdependent, then the overall operating culture is dependent.
A rewards vs. efforts analysis was done before reaching a concrete decision on the way forward and to allocate resources in terms of people and money.
A strategy can then be formulated for every department, as shown in figure 5.
Figure 5— Example of Department Strategy Development
Source: G. Kannan and V. Sivasubramanian. Reprinted with permission.
Analyze strengths and weakness of resources.
Cross-train members using existing resources.
Hold team get-togethers.
Document expected behaviors.
Incorporate expected behaviors in processes.
Train, retrain and reinforce expected behaviors.
Documenting expected behavior is the first step toward building a resilient organizational culture. A sample template leveraged from COBIT 5 for Risk is shown in figure 6. It is intended to be incomplete and provide a general framework. Sample outcomes and behaviors are taken from the assessment exercise described in this article.
Figure 6—Expected Behaviors and Outcomes
Source: ISACA, COBIT 5 for Risk, USA, 2013
Key Performance Indicators, Outcomes
Shows positive behavior toward raising issues or negative outcomes.
Whistle-blowers are seen as making a positive contribution to the enterprise. The “blame culture” is avoided. Personnel understand the need for risk awareness and reporting possible weaknesses.
Business accepts ownership of risk.
Risk practices are incorporated throughout the enterprise. Accountabilities are defined and accepted. IT-related business risk is owned by the business and not viewed solely as the responsibility of the IT department or the risk function.
Each stakeholder understands risk and knows the impact of risk on the organization.
Stakeholders make decisions based on practices of risk management.
Stakeholders help one another mitigate risk.
Stakeholders understand risk perspectives of other departments and help them by implementing controls from their end (i.e., IT implements certain controls to mitigate risk of operations).
Management follows risk management practices.
Management respects the policies and decisions of risk management professionals.
Risk mitigation practices and suggestions are rewarded.
Employees who practice risk management in their decision making and who have made a positive contribution toward risk management are acknowledged and rewarded.
Employees are educated on risk management.
Employees who complete courses on risk management from ISACA and The Institute of Internal Auditors (IIA
) are compensated, acknowledged and rewarded. Reward is based on acquiring new skills and the impact those skills have on the organization and its functions.
Once expected behaviors were documented, it was then necessary to assign teams and members to the challenging task of organizational transformation. To ensure this was done in the right manner, the human resources (HR) skill matrix within the organization was leveraged. The HR skill matrix was comprehensive enough to document the technical as well as nontechnical skill sets of various employees. After careful analysis and a personal interview with every team member, they were asked to implement cultural change going forward and were incentivized by a reward system. This ensured transparency and buy-in from the employees at various levels. It also contributed to a motivated and committed team.
The team members were then briefed on the way forward and notified that all members were responsible for the single mission of building an interdependent culture within their functions as well as the organization. The management team then briefed employees on the role that information security and management professionals would play in this task and the methodology of handling issues and progress.
Evaluate, Direct and Monitor Strategy
It is necessary to link the results of Evaluate, Direct and Monitor (EDM) to expected behaviors, outcomes and strategy. If necessary, changes in strategy and behaviors can be made, but not changes to the overall vision. Management and information security professionals acted only as facilitators for reducing noise, mitigating negativity, and suggesting course corrections through discussions for achieving a transformed organizational culture that understands risk and practices risk management as part of everyday work. External expertise was brought in wherever and whenever required, however, based on experience, it was understood that once employees were motivated, innovative solutions would be created without the requirement of external expertise. Document evaluations, corrections and discussions were published on the company intranet portal and opinions and feedback were solicited from everyone. Every function and employee had access to lectures and expert videos on organizational transformation, culture, risk management and other relevant topics. This ensured knowledge dissemination on an ongoing basis.
Management and Continual Improvement
Measurement of behavioral change is probably one of the most daunting and challenging tasks. However, to strengthen and maintain established baselines of culture, ethics and behavior, the organization implemented the following internal mechanisms:
As the saying goes, change is hard at first, messy in the middle and beautiful in the end. The overall journey of understanding and improving culture within the organization was implemented over a year with minimal investments. Even if not all of the items on the list, which is extremely ambitious, are achieved, the journey ahead is still worth every effort and makes the organization a more positive and engaging workplace. Therefore, if every organization were to concentrate some time on improving the working culture of its operating environment, it would go a long way in bringing about the necessary results. However, care should be taken not to lose focus on routine activities and the other business targets.
Ganapathy Kannan, ISO 27001 LA
Is a passionate, dedicated senior information security executive with RC Ideal Groups Ltd, who loves implementing frameworks. Kannan is active in the information security community in Chennai, India, and has delivered talks at Nullcon and at ISSACA Chennai gatherings.
Vinoth Sivasubramanian, CEH, CISSP, DCPLA, ISO 27001 LA
Is the chief information security officer for RC Ideal Groups Ltd. His expertise is in topics such as governance, risk management and compliance; organization design; risk management; IT audits; fraud risk assessment and organizational culture. He is a firm believer in the philosophy that only a combination of people, processes and technology can enable a holistic solution to the various challenges faced by organizations. Sivasubramanian is active in the null information security community in Chennai, India and has received accolades from his peers. He was recently given special recognition for his contribution to the governance, risk management and compliance community by CISO Platform, an online community in India.
1 Forcepoint, 2016 Global Threat Report
2 Rick, T.; “Organisational Culture Eats Strategy for Breakfast, Lunch and Dinner,” Meliorate, 11 June, 2014