Home / Resources / ISACA Journal / Issues / 2021 / Volume 3 / Embedding Security and Continuity Culture

Embedding Security and Continuity Culture

Author: Samuel Shanthan, CISM, CIPM, CPRM, MBCI
Date Published: 12 May 2021

Even when an organization implements good policies, procedures, security setups and standards accreditations, without an organizationwide, positive information security and business continuity (IS&BC) culture, low effectiveness can be expected. It is important to emphasize implanting security and continuity culture within the organization and suggest ways to achieve it.

Figure 1 maps the contribution to IS&BC culture from different elements and processes and the measurement of it.

Information security and business continuity are interrelated in the following ways:

  • Information security includes availability, which is part of business continuity and disaster recovery.
  • An information asset register should align with the business impact assessment obtained via business continuity, especially for availability. This should flow seamlessly into developing the disaster recovery plan (DRP).
  • Information security incidents, depending on magnitude, may lead to business continuity and crisis events.
  • Both disciplines are governed in the International Organization for Standardization (ISO) risk-based standards ISO 27001 and ISO 22301 and have several common subjects.

What Is Culture?

Security and continuity culture can be defined as the types of attitudes and shared working agreements by employees, management and partners in relation to IS&BC aspects.

Processes
There are several processes that can be performed to develop culture. These processes closely align with the Plan, Do, Check, Act (PDCA) Model. Each process may have subprocesses or activities depending on the complexity.

Planning
IS&BC culture should be embedded from project inception through the development of policies and plans and testing. In addition, IS&BC should be part of every project and management decision, such as project and procurement checklists.

In organizational strategic and operational plans, IS&BC should be embedded and actively contribute to achieving the organizational objectives and mission. This includes the business continuity culture evidenced in planning, such as selecting building locations, designing the build, staff concentration, entering service level agreements (SLAs) or operational level agreements (OLAs) with clients, staff resourcing and planning, including key person dependency and succession planning, business expansion, and new products.

For example, an organization promotes one type of credit card and expects usage to increase, while the DRP is set up only for other types of products. A consultant identifies the risk and requests a DRP for the product that is being promoted to mitigate the risk. These types of interactions and actions to mitigate risk are possible only through embedding the business continuity culture within the organization.

Implementing
Implementing the culture can be challenging, but it must be agile to suit the business environment as, often, things do not go as planned.

Training
Training and awareness are necessary to build culture and make sure that personnel are equipped with necessary skills and knowledge. Offering training can resonate at a personal level, and when it is relatable, it proliferates throughout an organization.

According to PricewaterhouseCoopers (PwC), 61 percent of chief information security officers (CISOs) and chief information officers (CIOs) say that they are seeing an increase in risk from the use of non-enterprise devices and software due to more people working remotely.1 Leaders need to double down on targeted communications and training, enforce policies, and embed effective controls.

Checking
When personnel, including staff and vendors, participate in testing, the importance of IS&BC is felt. It would be improved if top officials contributed by emphasizing the importance of business continuity and testing. It is always important to thank and acknowledge the test participants in a written report and send it to senior management. This will reinforce future support and help to promote IS&BC within the organization. Personalized gifts or acknowledgments for participants can also help to improve the IS&BC culture.

Tests could include a penetration test, cyber-incident response plan or a DRP, but the focus should be to embed the IS&BC culture by speaking to people and helping them understand the need to pay attention to IS&BC use in day-to-day operations.

Improving
Improving the culture continuously is a slow and steady way to win the race. For example, in an interview, the head of security keeps a chair nearby to prevent the door from locking as she has forgotten to carry the access card. This demonstrates the apathetic state of culture in the organization. The IS&BC culture needs to be continuously improved within the organization and is not a one-time exercise.

Third Party
Outsourcing and dependence on third parties are increasing, especially for managed IT hosting, security monitoring, call centers and business processing.

According to the 2020 Business Process Outsourcing in Australia report, the business process outsourcing (BPO) industry provides a variety of back office and front office functions to businesses such as call center operations, IT services, debt collection and recruitment services. Overall, industry revenue in Australia is expected to increase 3.1 percent in 2021.2

The procurement process must identify whether IS&BC aspects are relevant for the service or goods by applying an impact assessment. Once an impact assessment is conducted, appropriate checks need to be undertaken and this must be built into the procurement culture to ensure truth and not just to “tick a box.”

Existing vendors need to be assessed for their compliance and IS&BC culture, which can be evident from conversations and tests or audits.

Increasingly, several processional services and subscriptions are available to assess if vendor data has been leaked. If organizational data have been breached, these services will help to limit the damage if all other means have failed.

Aids
There are several aids that can be useful in strengthening the IS&BC culture. Not every aid will be useful for every organization, so finding the best match and utilizing the right aid is critical.

Propaganda
Good propaganda at the right time helps to develop the IS&BC culture. Some of the aspects can be around successful recovery efforts. Even failure should be disclosed, and a constructive action plan should be developed to rectify, and thereby build, the IS&BC culture within the organization. Mentioning IS&BC aspects in incident reports and success or failure stories assists in embedding IS&BC culture.

Standards
Obtaining accreditation to standards, such as ISO 27001 and ISO 22301, and publicizing it in internal and external communication channels is one way of demonstrating the importance of standards across the organization and with partners and customers. It also helps in obtaining funding and other assistance from top management. Annual certification audits can be used to influence people to perform certain tasks which contribute to embedding the IS&BC culture. Organizations should also capitalize on other disciplines and standards to develop IS&BC culture. For example, if an organization is getting certified for ISO 27001, it would increase the value to add propaganda for business continuity together with information security. The same approach can be taken with other standards or initiatives.

Regulations
Mandatory compliance with regulations in an industry or country, especially if there is a specific IS&BC standard, may also help. Data protection, privacy and security regulations are being implemented across various jurisdictions (i.e., country or state-level regulations), aligned to some of the renowned international standards. These regulations will help embed the security and continuity culture.

An example of the impact of security regulations is when in Victoria, Australia, in 2014, the Privacy and Data Protection Act was publicized, authorizing that a standard would be published. In 2016, the framework and standard (Victorian Protective Data Security Framework [VPDSF] and Victorian Protective Data Security Standards [VPDSS]) were published and the Victorian Government was allowed time to respond and comply. From a culture perspective, this has influenced every Victorian government executive. They understand that, at a minimum, they are accountable for information security and should take it seriously. Security is now a regular part of executive discussions.

Buy-In From Others
Obtaining support and appreciation from important stakeholders is a must. For example, in one organization, IT projects got delayed because the penetration test conducted at the end of the project identified serious security gaps that required additional time and cost. When security was embedded, a security by design concept was implemented, and secure coding principles were provided for project managers. Projects finished on time without unexpected security problems in the end.

Influencers
Using influencers is very important to successfully embed the culture. In each organization, the best influencers have to be identified and utilized wisely.

Management Commitment
A top-down or a bottom-up approach may be used, depending on the situation, but in most cases the tone at the top matters. Executives should support security and continuity initiatives by sending emails, being part of tests and trainings, and speaking to staff about the importance of IS&BC.

Obtaining executive management’s support to implant the IS&BC culture within the organization can be achieved by indirectly influencing management.

Job Security
The biggest risk for C-level executives is that they cannot get another job easily if the organization fails due to a security or continuity event. For example, another Australian organization that provided web hosting service to various organizations failed due to a cyberattack. A C-level executive had to work in the factory because no one would support the person who was heading the security of that failed organization.

Create Reports
Reports and dashboards with progress and gaps can be sent via board papers and executive papers to provide briefs. This is an opportunity to propose solutions to achieve the desired security and continuity outcome.

Enable Business
When IS&BC enables the business to achieve its objectives and increase revenue, it will be embraced and supported. The use of the business enabler approach is more popular with executives than approaching with the cost of noncompliance.

For example, an organization provides managed services to a sector where security of the information being handled is a priority with a very high level of uptime requirements (24/7). There is competition in the market with other managed service providers offering similar services. During the discussion with the sales team to understand their priorities and how they could get an edge over the competitors, it is determined that the customer prioritized security and availability of services, so the team translates that into a security strategy that aligns with their business objectives. The investment in IS&BC was translated to positive revenue and presented to the executive leadership, and it was accepted and supported. From the perspective of the executives, they realized that investing in IS&BC was going to generate more revenue, so they supported it.

Set Objectives
Setting objectives and hitting targets is important for the promotion of IS&BC culture.

  • Setting personnel goals and objectives for key personnel around IS&BC, such as the chief operating officer (COO), CIO, and critical business unit heads and associated IS&BC coordinators/champions, is imperative.
  • Creating short-term targets that can be quick wins is attention grabbing. It enables the entire organization to appreciate the progress. It can also be beneficial to reward and recognize the people who help the IS&BC initiative. For example, reward those who report phishing emails or departments that comply fully with a security audit.

Address Myths
The biggest challenge in an immature organization is converting people who have been operating without any reasonable IS&BC setup in the past.

  • People may say, “I have worked here for 25 years and nothing has happened.” Responses should explain that it is better to plan to reduce the impact of a disaster and establish plans now to recover if such an event were to occur, even if no disasters have happened in the past. Once they understand the need for security and continuity, people who object initially often become supportive.
  • Job continuity planning (JCP) can be appealing to employees as it relates to BCP and can be successfully used to implant the business continuity culture in an organization.
  • The current pandemic crisis can be used as an example to convince executives and other staff of the need to prepare for a security or business continuity event.

Remove Obstacles
It is necessary to identify obstacles and remove or overcome them. People may be obstacles in the IS&BC initiative and need to be converted. The best approach is to discuss their concerns on a one-on-one basis.

Identify Champions
Champions within business units play a vital role in changing the culture of IS&BC. They play the role of advocates and can convince their business unit leaders and colleagues to pay attention to IS&BC matters. An example of this is a consultant explaining why security must be taken seriously to a salesperson, getting the consultant invited to the first meeting in all new bids. The salesman then tells the CEO about the need to pay attention to security and some of the serious gaps that exist. This helps to strengthen the security culture.

In some organizations, there are official appointments for champions. Unless the security and continuity coordinators appreciate IS&BC concepts and work earnestly, even if the manager appoints them, it is preferable to avoid keeping them as IS&BC coordinators, as this will negatively impact the implementation of IS&BC culture. At the same time, there could be others who are not IS&BC coordinators but are influencers who will support IS&BC efforts and have an appreciation for its need. It is important to capitalize on their support by giving credit for their suggestions and contributions.

Identifying supporting partners and obtaining initial wins improves the IS&BC culture. In one organization, there was a struggle with the safety department and its inability to get fire wardens appointed and committed for training. Appointing the existing business continuity coordinators as the fire wardens and providing them with training did not cost much, but it paved the way for their fullest support in future business continuity efforts.

Related Disciplines
In every organization there may be other disciplines that are more influential and matured. Business continuity should blend with them and introduce itself through those related disciplines such as safety (work health and safety), physical security, information security, environment protection, operational risk management and insurance. For example, if insurance is well accepted in an organization, it is easier to showcase how insurance is complemented by business continuity efforts and how premiums are reduced when business continuity matures. Relating audit with business continuity is generally less welcomed. Currently, cybersecurity insurance is gaining momentum and a well-established cybersecurity culture can reduce the premium.

Each organization has different needs and sensitivities, and success depends on how best to introduce IS&BC through the right topic of interest.

Measurement
It is difficult to measure the extent of IS&BC culture of an organization, but the following qualitative measures can be considered:

  • Is IS&BC considered in the annual reports, values, risk appetite and objectives of the organization?
  • Are IS&BC issues raised in executive meetings and when making decisions regardless of the agenda?
  • Are managers and staff considering IS&BC when making decisions, determining budgets or determining key performance indicators (KPIs) without the explicit request from IS&BC teams?
  • Are the business units and supporting units requesting for IS&BC risk, tests and plan revisions on their own?
  • Are the business units suggesting improvements in IS&BC?
  • Is reasonable funding allocated for IS&BC initiatives?

Surveys Benefits and Focus

According to the 2018 ISACA® and CMMI Institute Cybersecurity Culture Report: Narrowing the Culture Gap for Better Business Results, the benefits of a cybersecurity culture include:3

  • Increased visibility into potential threats
  • Reduced cyberincidents
  • Post-attack resilience to resume operations
  • Increased capacity to engage in new business
  • Consumer trust in their brand offerings

According to the same survey, the top three influential factors of cybersecurity culture are:4

  • Training
  • Policies and communication
  • Management commitment

Conclusion

To be effective in securing information and developing the ability to respond and recover from incidents of different magnitudes, the IS&BC culture should be embedded within the organizational culture. Compliance to IS&BC standards does not merely show the effectiveness of IS&BC culture, but it helps to build that culture within the organization.

Security professionals should understand their organization and follow a process, using aids and influencers, to embed the IS&BC culture.

Measuring the IS&BC culture can be challenging and subjective; however, some qualitative measures can be used for tracking improvement. It takes time to develop and embed the culture, and measuring and fine-tuning continuously to further improve the organization will lead to success.

Endnotes

1 PricewaterhouseCoopers (PwC), PwC Workforce Pulse Survey, USA, 2020 https://www.pwc.com/us/en/library/covid-19/workforce-pulse-survey.html
2 IBISWorld, Business Process Outsourcing in Australia Report, Australia, 2020, https://www.ibisworld.com/au/industry/business-process-outsourcing/5515/
3 ISACA® and CMMI Institute, The ISACA/CMMI Institute Cybersecurity Culture Report: Narrowing the Culture Gap for Better Business Results, USA, 2018, https://www.isaca.org/-/media/info/cybersecurity-culture-report/index.html
4 Ibid.

Samuel Shanthan, CISM, CIPM, CPRM, MBCI

Has more than 19 years of information security, business continuity, and risk-related experience in large multinational and Fortune 500 companies and has held global and national leadership roles. He can be reached at Samuel.Shanthan@gmail.com.