Creating a Culture of Information Security - Eric Vanderburg, CISSP - JurInnov Ltd.

2,486 views

Published on

This slideshow discuss the importance of creating a culture of information security.

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,486
On SlideShare
0
From Embeds
0
Number of Embeds
228
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • 9/11, BP Oil Spill
  • Creating a Culture of Information Security - Eric Vanderburg, CISSP - JurInnov Ltd.

    1. 1. © 2011 JurInnov, Ltd. All Rights Reserved
    2. 2. Today’s Discussion  Cultural Importance  Cultural Surface  Cultural Impact on Security  Cultural Change© 2011 JurInnov, Ltd. All Rights Reserved
    3. 3. Cultural Importance Culture is the residue of success. - Edgar Schein  Make or break security + Concern for security + Above and beyond requirements - Uphill battle - Broken record© 2011 JurInnov, Ltd. All Rights Reserved
    4. 4. Cultural Categories Basis of Truth and Nature of Time Motivation Orientation & Focus Rationality Isolation vs. Control, Coordination, & Stability vs. Change Orientation to Work Collaboration Responsibility Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding Organisational Security Culture. Proceedings from PACIS2002: The 6th Pacific Asia Conference on Information Systems, Tokyo, Japan.© 2011 JurInnov, Ltd. All Rights Reserved
    5. 5. Cultural Surface: Artifacts Decision making Conflict process resolution Meeting Working frequency hours and Formality format and authority Dress Social code events Company Rites and Jargon rituals Work/life balance Communi cation© 2011 JurInnov, Ltd. All Rights Reserved
    6. 6. Assessing Culture  Engineer disables FTP authentication to receive time sensitive files  Technician hooks up an insecure wireless access for the visiting CEO  Developer violates security coding practice to get release out the door  Secretary uses a personal laptop to perform business tasks to get around flash restrictions  Employee downloads movies from a torrent site on the company network© 2011 JurInnov, Ltd. All Rights Reserved
    7. 7. Examples  Cultural elements supporting and inhibiting security initiatives  Token authentication  Asset Management  Security Zones  Encryption  Data retention© 2011 JurInnov, Ltd. All Rights Reserved
    8. 8. Cultural Change  Deeper understanding of culture  Leadership’s shaping of culture  Cultural change factors  Enacting transformational change  Barriers  Temporary tradeoffs© 2011 JurInnov, Ltd. All Rights Reserved
    9. 9. Deeper Understanding of Culture Edgar Schein Three levels for understanding and identifying corporate culture Shared Tacit Artifacts Espoused Values Assumptions Visible organizational Strategies, goals and Beliefs and values structures and philosophies processes© 2011 JurInnov, Ltd. All Rights Reserved
    10. 10. Leadership’s shaping of culture  What is paid attention to, measured and controlled regularly  Reaction to critical incidents  Criteria for allocating resources  Role modeling, teaching and coaching  Criteria for rewards and punishments  Recruiting, promoting, demoting and firing© 2011 JurInnov, Ltd. All Rights Reserved
    11. 11. Cultural change factors Lewin Change Model  Evolutionary  Hybridization: secondary contrary or different cultural elements with Disconfirmation primary elements  Growth impacts innovation  Increased assets affects risk tolerance Learning  Transformative  Can a successful organization change without a breach? Incorporation  Lewin Change Model© 2011 JurInnov, Ltd. All Rights Reserved
    12. 12. Enacting Transformational Change  Compelling positive vision  Concrete, measurable, and achievable goals  Formal training of groups, not individuals  Lerner involvement  Pilot group  Change leaders and role models  Feedback  Rewards and discipline© 2011 JurInnov, Ltd. All Rights Reserved
    13. 13. Barriers to Transformative Change Psychological Defensive Fear of Denial – temporary disconfirming incompetence data not valid Loss of Dodging – personal disconfirming identity cause different Loss of group Maneuvering / membership Bargaining© 2011 JurInnov, Ltd. All Rights Reserved
    14. 14. Temporary tradeoffs of culture change  Turnover  Increased conflict  Lower productivity© 2011 JurInnov, Ltd. All Rights Reserved
    15. 15. Questions© 2011 JurInnov, Ltd. All Rights Reserved

    ×