It’s been an interesting week in the world of Secure Thinking, and that was before we saw the report from the Information Commissioner’s Office that private sector data security breaches have increased 58% in a year.
We have had some thought-provoking discussions with clients and seen both sides of the information security picture.
On the one hand we have seen both major corporate clients and smaller SME businesses who seem to pay little heed to their information security responsibilities or at best offer lip-service to the requirements.
On the other hand we have seen businesses and at least one major corporate client who take their responsibilities very seriously indeed, to the extent that their very processes are derived around a set of well-documented security requirements.
The difference is very much one of attitude.
The businesses that pay lip-service or less to their information security responsibilities see them as a burden, a cost and interference to their way of doing business.
This is a top down cultural issue which can only be remedied at the highest levels within the management structure of the organisation.
It isn’t something that can be fixed by employing more security specialists, by ICO adjudications or by the odd edict from above.
Security has to be built into the organisation and backed up with meaningful management buy-in and relevant decisions, policies and processes.
I have mentioned before in an article for the FT.com how engendering a “Culture of Security” is critical to real, genuine levels of information security and this is still the case – borne out by this one week of customer interaction.
We have also recently had discussions with the named individuals identified by the ICO following data security breaches. They really haven’t enjoyed the experience of being publicly named and held to account – it doesn’t look good on their CV. And these are people at the top of the organisational hierarchy not the individuals responsible directly for the security breach.
So apart from being essential for good information security practices, senior management have a vested interest, from both a corporate and personal perspective, for developing and encouraging security within their organisation which has real muscle and isn’t just a box-ticking exercise.
Senior management need to change their attitude to match those of their more responsible counterparts and bring in a philosophy whereby information security is seen as a plus – a real, tangible business advantage that reduces business risk, provides real benefits to their customers, and enhances their organisation’s reputation. After all, poor security practices have exactly the opposite effect and both approaches cost money.