This chapter discusses culture, balance, communication, and doing the right thing. The combination of these areas contributes to an overall security policy and protection system from unwanted security intrusions.
Culture – Within any culture, there are accepted ways of everyday life. As with an organization, attitudes and approaches to events filter down from the top. The early days of security breaches found easy paths into existing systems. As different prevention from intrusions evolved, so did the complexity of the intrusions. The initial approach to information protection was to gather information to detect existing techniques. Computer security was not an integral part of the information budgets.
The need today is to make security an integral part of information budgets, beginning at the top levels. Recommendation from the 2007 Commission on Cyber Security recommended a national security strategy. This commission suggested balanced approach that “avoids prescriptive mandates,” and “avoids overreliance on market forces.” A key suggestion is to incorporate “public-private advisory group” to focus on “key infrastructures.” The overall trends need to begin at the top of all organizations for a cultural acceptance of information security that is an integral part of everyday events.
Balance – Organizations must take into account the cost of lost productivity and intellectual property due loses from security breaches. Through the use of existing knowledge of insurance claims, surveys of cost to employees and process issues a more realistic cost of security needs becomes more visible. Perfect accuracy is not necessary. Consistency with determining organizational cost is more important.
Communication – Collaboration between technical and non-technical personnel provides the best avenues to protect the organization’s information. Communicating potential areas affected by security intrusions identifies the actual negative costs. This information compared to the cost of security measures provides a look at the return on investment for security of that organization.
Doing the Right Thing -
COMPLIANCE <=/=> SECURITY
Compliance with all organizational regulations is not the same as having a secure information security. Neither does having a secure information system the same as fulfilling all of the organizational requirements. Consideration technical factor associated with an organization. The cost of the security applications must be included in policy and organization processes.