Organizations can, and often do, make the mistake of classifying information security as only a compliance matter. Much like taxes, workplace safety, and human resources, information security is governed by a complex set of statutes and regulatory rules. However, unlike the aforementioned areas, information security cannot adequately be solely addressed as a compliance matter.
This is attributed to many factors, including: (1) the inherently valuable and essential nature of an organization’s information; (2) the ever-evolving nature of threats; (3) the relative lack of awareness of information security issues and overall inability of organizations to effectively control and protect its information; (4) the persistent existence of intentional or unintentional insider threats; and (5) the rapidly changing national and global legal and regulatory landscape. Information security cannot be relegated to IT or delegated to one specific person or department without oversight. Information security simply must be addressed from the executive level and must be a persistent, holistic, and synergistic aspect of an organization’s overall governance.
The best practice is to change the organizational mindset from a culture of compliance to a culture of security. The first step in changing the organizational mindset is to stop thinking of information security as an item to “check” to meet minimum compliance requirements and to start thinking of it as an overarching organizational governance goal. Information is the DNA of modern organizations, and information security must be thought in terms of how the organization is run. All of the organization’s departments and employees must fall under the umbrella of information governance and must work together to achieve the common goal. The organization’s leadership must deliver a clear and concise vision, communicate expectations, and expect results
Changing an organizational mindset requires executive level buy-in and a commitment to initiate, develop, and implement an information security program. It requires the bravery and dedication to allocate resources (financial and personnel) to pursuing a culture of security. It requires the fortitude to stick with a culture of security in the face of inevitable setbacks and recalibrations.
Ultimately, changing the organizational mindset to a culture of security is a simple matter of saying “yes.” In doing so, organization will reap the benefits of increased productivity, greater security, and the peace of mind of its employees, vendors, and customers. In doing so, the organization will also not only meet compliance standards, but will in all likelihood, exceed compliance standards.