Management's Role to Promote Information Security

The success of an organization's information and cyber security program to protect its sensitive data depends on several key integrated components. You can't only assign this responsibility to your IT staff or assume that because your data is stored in the cloud there is nothing left to do.

The risks are simply too real, the financial costs too high, and the potential damages to your reputation and service delivery too severe for management not to treat this topic as a corporate priority.

One of the most important factors that is often overlooked is the role that managers within an organization play to ensure success through their own behaviour and attention to this issue. As fundamental as it sounds, it cannot be said enough that managers must look inward to ensure they are playing their part in building a corporate culture and accountability-based behaviour that consistently prioritizes information security.

Three considerations for managers / leaders to help ensure they are playing their part:

Are You Setting the Proper Example?

Leaders serious about this topic instil a corporate culture that values information security by setting a positive example in how you, and the staff in your office, conduct your daily activities. Managers who believe they are too busy to follow security policies and procedures operate under a double standard different than how the rest of the organization is expected to act are in trouble. Managers must set the bar for their own activities higher than the standard, recognize when improvements need to be made, and should strive to exceed the expectations they place on staff.

Are you Talking about Information Security?

Managers at all levels need to communicate with their staff about information security. It is critical to continually reinforce that this subject is important to the organization, relies on the actions of everyone, and must be a daily priority within the organization.

Be proactive and take advantage of team meetings, one-on-one performance expectation meetings, and speaking engagements with larger groups of staff to talk about this priority before an incident occurs.
Initiate informal conversations with your staff to gather their ideas about challenges and tactical solutions to improve information security performance. This way they hear about this priority directly, which is more effective than only reading it in an email or in corporate planning documents.

Are You Making the Required Commitments and Investments to Succeed?

If your organization is going to communicate that information security is a priority, managers must be ready to support this by allocating sufficient resources to the issue, dedicating time to implement security policies and processes, and committing to monitoring compliance.

A Few Basic Questions for Managers to Ask Themselves:

Are you investing in required hardware strengthening upgrades?
Do your IT staff need help to improve security protections and, if so, have you sought out third party assistance?
Do you have information security policies and procedures in place?
Are managers and staff held accountable for adhering to security protocols?
Do you invest in mandatory security awareness training for staff?
Are your access control systems obsolete?
Does the physical state of your facility strengthen or weaken information protection?
Have you discussed a 'plan of action' to address a security breach when it occurs?
Do you encourage staff to report suspicious activity?

Managers Can Change the Culture

Our security experts at Castellan have seen examples set by managers that significantly improved the corporate culture or an organization to take information security seriously. These managers committed to this priority in their daily actions and routinely made the tough decisions required to secure their information.

Not only is it a manager's responsibility to ensure their information security program is run successfully, but it is also just as critical that leaders pay attention to how they support the program, what they do daily with their own behaviour, and how they communicate with staff. Managers need to 'own' this corporate responsibility and ensure that the proper culture, one that values and prioritizes information security, is engrained into their organization.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information please feel free to contact us directly at info@castellaninformationsecurity.com.

Ask us about our free preliminary security assessment and our Security Operations Centre (SOC) service that uses special detection technology and cyber experts to monitor your data on a live, 7/24 basis.