May 18, 2023
Company Culture Affects Information Security GRC
What is the culture like in your company? Do you have a friendly and supportive environment where lunches and cake are brought to celebrate achievements or birthdays? Or do you have an environment where it’s just heads down—do the work and go home? Now think about how your company culture affects information security. Does the culture instill value in the resources and processes in place to protect the business?
There’s a commonly cited framework called Governance, Risk Management, and Compliance (GRC). The governance portion of this three-legged stool is the effort to guide the business resources to achieve objectives. The risk management piece is to address the uncertainty brought by business activities while pursuing the objectives. And compliance is the periodic evaluation and demonstration of how the business is conforming to the internal and external requirements that were designed to address the risk of not meeting its responsibilities and objectives.
But how does a business culture affect information security at each GRC level?
Governance
If someone in executive management were to say, “Information security is not that important,”—well, of course, that’s a no brainer in predicting how the culture will affect information security—negatively. But, what about the other, more subtle ways? It’s understood that executive management makes the decisions. But what danger exists when the culture and governance do not allow room to ask questions or raise issues when there are concerns? A know-it-all manner of governance is a missed opportunity of taking advantage of the skill, creativity, and experience of people on the ground. It can affect the willingness for people in the company (who basically are in the trenches) to bring ideas on how technology can positively impact the bottom line or be a barrier for alerting management of the security threats waiting in the tall grass.
Perhaps there’s a culture of organizational and functional silos that don’t interact with IT or the information security function—a culture of “stay in your lane.” It promotes a lack of visibility and poor integration of what IT and information security may need to have in place to protect value or advance benefits like cost reduction, reputation protection, and optimization in addition to cyber security.
No question about it - the tone at the top shapes behavior throughout every part of the company.
Risk Management
In the area of risk management , there are two sides of the spectrum analogized by a popular TV series, The Good Place. Character, Jason Mendoza, not known for being the brightest crayon in the box, is reckless. He met his earthly demise through a scheme to rob a restaurant by hiding in a safe, but only with a snorkel to breathe. He saw a high reward in his plan but went about it recklessly. On the other side of the analogous continuum and on the same TV show is Chidi Anagonye. His imperfection is his paralyzing indecisiveness. He is highly intelligent but goes down the rabbit hole for every decision—seeing only negative repercussions for every possibility. Chidi often fails to make decisions—missing out on opportunities that could positively impact his life.
The business culture has a direct impact on the appetite for risk that a company is willing to accept in order to pursue its business objectives. In our examples above, Jason appears to have an unhealthy appetite for risk—willing to take it at a high level to reap the benefits of robbing a bank. Now imagine Jason as a company with the same philosophy—taking on a risky strategy without a plan to minimize the threats to achieving the end reward. In Chidi’s analogy, his tolerance for risk is extremely low—unwilling to take on risk to pursue objectives. If a company’s departmental leadership had Chidi’s mindset, a safe wager would be that managers would hesitate to explore and implement new technologies to make work more efficient and accurate, eventually creating area underperformance or even allowing competitors to take away business.
Compliance
In the traditional view of GRC, compliance is about demonstrating the conformance to a rule, agreement, law, policy or standard. But the non-profit company OCEG provided a more complex view of the GRC model. The company introduced integrity in their Principled Performance framework. It proposed that an organization achieves genuine compliance with its internal and external obligations with the code of integrity—the actions that promote honesty and a commitment to doing things the right way. Integrity is fostered by the culture of the company, and you can bet it has direct influence on information security. What is behind the company leadership’s willful model-by-example participation in information security training? Integrity. What promotes honest adherence to security related procedures and policy? Integrity. What is behind the desire to maintain a client’s trust in the security of their services and information? Integrity.
By having and fostering a culture of integrity, a company puts its commitments to internal and external stakeholders high on the company value list. And it does what it can and when it can to follow through on its obligations.
The Impact on GRC
A positive culture can increase employee and management understanding and value of information security. It can also have a direct impact on individual engagement resulting in the adherence and betterment of all aspects of information security. Yes, because of their role, some people in the company have more eyes on them to display the values and conduct that make up culture, but every single individual can play a role in the culture of the organization. Every level of the organization has the ability to move the company culture in any direction. So now, when we think of the information security GRC triad, we’re left with two questions:
How is our company culture affecting its information security profile and what am I doing to contribute to a culture that promotes information security?
Download BlogAuthored By: Paco Diaz, CISA, GRCP, ITIL/F
