Are users in your organization fully empowered to utilize their computers -- install and update software, define printers, and perform other routine tasks? Or do they have to call the help desk for every little thing they need done, frequently waiting several days only to be told, "No, we cannot do it" or "It will compromise security" or "It's just not allowed in our organization"?
Having worked in both types of organizations, and having managed the IT environment in an empowered organization as CIO/CISO, I have observed that users in the second type of organization have an antagonistic relationship with IT and information security. They feel security is someone else's responsibility. Experimentation and innovation are low. IT is usually overworked and understaffed and does not enjoy fulfilling the majority of requests, since they are routine and present no new challenges. The typical call volume for service is also very high.
In the empowered organization, users are more conscious of and more engaged in security. There is a collaborative relationship with IT, which is viewed as helpful. Users also recognize and accept information security as their responsibility.
Organizational information security rests on three pillars: technology, policy, and people. Getting the people part right is very important for any organization. Getting it wrong could hurt the organization in many ways. Users could intentionally bypass security measures they do not view as helpful. They could fail to disclose problems or share concerns. They could suppress important ideas and suggestions that could improve the security of the environment.
During a keynote address at a recent CISO Executive Summit in Washington, DC, Ira Winkler, CEO of Internet Security Advisors Group, told CISOs to create a collaborative relationship with users to keep IT from being labeled as the "Department of No." Justin Somaini, CISO of Yahoo, shared similar experiences during an afternoon keynote. He argued that it was important to get users within the organization to accept information security as their personal responsibility. One key way to accomplish this, he said, is to empower users.
Somaini found very little difference in security between empowered and non-empowered environments. But in my own experience, I have observed more virus infections and security issues in organizations with severe restrictions on user capabilities, primarily because the absence of a security culture promoted unsafe user behavior.
The remarks by Winkler and Somaini made me think of the safety culture I observed at a nuclear power plant early in my career. The organization was run according to key values such as safety, employee empowerment (with a questioning attitude), teamwork, customer service, excellence, and diversity. These values were consciously driven throughout the organization. All employees were empowered to question any order they believed would reduce safety. Supervisors could not penalize employees for such questioning. Everyone was encouraged to think continuously of ways to improve safety. Thus, germination of grassroots ideas from people closest to the work was part of the culture. This produced a highly safety-conscious workforce, superior team spirit, a collaborative relationship between workers and management -- and an excellent safety record.
The same principles could achieve a culture of information security within an organization. After all, information security isn't much different from safety.
Granted, in a few highly controlled, top-security environments, empowerment may not be appropriate. Users who work in these environments easily recognize and appreciate the restrictions. However, most enterprises would benefit greatly if a culture of security were cultivated throughout the organization. User empowerment and the cultivation of a collaborative relationship between IT and the user community may be the key ways to foster such a culture.
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.