One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409415 |
| Date de publication | 2017-09-19 07:01:06 (vue: 2017-09-19 07:01:06) |
| Titre | NBlog September 19 - what is \'security culture\'? |
| Texte |  For some while now, I've been contemplating what security culture actually means, in practice. Thinking back to the organizations in which I have worked, they have all had it some extent (otherwise they probably wouldn't have employed someone like me!) but there were differences in the cultures. What were they?Weaknesses in corporate security cultures are also evident in organizations that end up on the 6 o'clock news as a result of security and privacy incidents. In the extreme, the marked absence of a security culture implies more than just casual risk-taking. There's a reckless air to them with people (including management - in fact managers in particular) deliberately doing things they know they shouldn't, not just bending the rules and pushing the boundaries of acceptable behavior but, in some cases, breaking laws and regulations. That's an insecurity culture!The strength of the security culture is a relative rather than absolute measure: it's a matter of degree. So, with my metrics hat on, what are the measurable characteristics? How would we go about measuring them? What are the scales? What's important to the organization in this domain?A notable feature of organizations with relatively strong security cultures is that information security is an endemic part of the business - neither ignored nor treated as something special, an optional extra tacked-on the side (suggesting that 'information risk and security integration' might be one of those measurable characteristics). When IT systems and business processes are changed, for instance, the information risk, security and related aspects are naturally taken into account almost without being pushed by management. On a broader front, there's a general expectation that things will be done properly. By default, workers generally act in the organization's best interests, doing the right thing normally without even being asked. Information security is integral to the organization's approach, alongside other considerations and approaches such as quality, efficiency, ethics, compliance and ... well ... maturity. Maturity hints at a journey, a sequence of stages that organizations go through as their security culture emerges and grows stronger. That's what October's |
| Envoyé | Oui |
| Condensat | i maturity thinking about absence absolute acceptable account act actually addressing air all almost alongside also answering any approach approaches architect are area asked aspects assemble awareness back been behavior being bending best blocks blueprint boundaries breaking broader building business but cases casual changed characteristics clock come compliance conceptual considerations contemplating content will corporate culture cultures default degree deliberately diagrams differences does doing domain done drawing efficiency elements emerges employed end endemic ethics even evident expanding expectation exploring extent extra extreme facilitating fact feature find foundations framework front general generally good governance grows had hat have hints how ignored implies important incidents including information insecurity instance integral integration interests journey just know laws like look lots making management managers marked matter maturity means measurable measure: measuring metrics might more naturally nblog neither news nor normally not notable noticebored now october one optional organization organizations other otherwise out part particular people practice practises privacy probably processes progress promoting properly pushed pushing quality questions raised rather reckless regulations related relative relatively result rhetorical right risk rules scales security september sequence shouldn side some someone something special stages start strength strengthening strong stronger such suggesting supporting systems tacked take taken taking than that them there thing things thinking those through today tomorrow towards treated underpinning weaknesses well what when where which who will without worked workers would wouldn |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.