Recently I gave a presentation at the InfoSec Exec
Summit UK. This was the third time I have been invited to the conference,
held at the wonderful Richmond Hill Hotel and organised by Tech:Touchstone.
They were recently acquired by the 451 Group so there was a celebratory mood
throughout. My talk was about automating information security governance.
My presentation reported on a project that analysed the
functions on an Information Security help desk. One of those processes recorded
the review of external data links. It was another Triplicate process and in
need of streamlining. The solution had to provide a central portal reporting
one version of the truth to the entire organisation.
The time savings seemed obvious, the accuracy seemed obvious
and the ease of reporting seemed obvious. What I did not anticipate was how
much of an impact a change like this can possibly have on an organisation.
One of the slides in the presentation showed a four tier description
of the InfoSec approach in an organisation. The tiers are as follows:
Tactic – What is done to achieve a goal; e.g. securely linking with a 3rd party supplier of a needed service.
Task – How that activity is carried out; management, documentation and audit of the process
Habit – when is the task done; how often, how easy
Culture – what tactics are we willing to employ and how do we govern them
A friend at work showed great interest in this slide and
asked me what I meant by Culture. I said it was the way the people behave when
it comes to InfoSec in their daily business activity. I had an example from
home where my wife and I always double check with each other that the house
keys are outside whenever we step out.
We once had to pay the locksmith and from then on we have
been in overkill mode. I don’t think it was the best explanation of what I mean
when I say Culture and I need to work on this some more. I will be posting more
on this!
My next conference presentation is coming up on the 26th
March and I am talking about the DOs and DON’Ts of using Cloud services. Next
week I will write more about that and when that is done, we can get back to
Culture.