There are no shortcuts in information security—no magic product that will secure the bank against the bad guys. Most of us look at security as a combination of products and compliance. We have all bought firewalls, anti-malware software, email security devices, multi-factor authentication, patch management tools, vulnerability assessment scanners, and more. We also have our annual audits, examinations, penetration test, and so forth. Maybe, if we are advanced, we have a security awareness program, conduct phishing tests, or have installed network access control systems. Perhaps some even go as far as red-teaming, either with an in-house group or as an annual exercise. If we have all these tools and submit to all these tests, most of us probably feel good about our security.
"As leaders, the choices we make, the attitudes we project, and the behaviors we portray speak volumes about the expectations of those around us"
It is really a lot like how many of our banks do customer service. We participate in non-profits in our communities, we make various donations, and we encourage our associates to smile at our customers. Many of us buy customer relationship management (CRM) software and invest in our telephony technologies. A few of us are experimenting with various online customer contact solutions, like video chat or interactive teller machines. We probably do some measurement of customer satisfaction. Minimally, we survey from time to time and the sophisticated have a mature customer feedback program. As long as our customer base grows (or at least is not shrinking), we probably feel good about our investments.
However, unless you are at one of the top five banks for customer service, your company is not quite doing the best it can. What separate the top performers in customer service are the same things that set companies apart in information security—culture.
Culture has many meanings. In this case, I am working with, “the attitudes and behavior characteristic of a particular social group.” The group here is your bank. Every social group in human history has a culture. People cannot resist watching what happens around them and seeking to be part of the group (or actively rejecting group, which is just a variation of the theme). Most often, the culture of a group is a reflection of the attitudes and behaviors of the leaders of the group. For us, that generally means the bank executives, but there are often other influencers throughout an organization that are also significant in the bank’s culture. Outstanding customer service, like superior information security, begins with the tone at the top.
Top performers have figured out that to be extraordinary at something you have to incorporate it into your culture. Bank associates who are more concerned with whether or not they have a job or the direction their bank is heading cannot possibly create delighted customers. IT staff that are just trying to keep their systems running or buried under unending projects also cannot be expected to keep their systems secure.
As CIOs, we may not be able to set the bank’s tone at the top (though we should be influencers), but we can set the tone in our own departments. Our attitudes and behaviors set the tone for our staffs and help define the IT and security culture for our banks. How many of us look at audits as an imposition that takes time away from our “real work” instead of an opportunity to see if the stories we tell ourselves are true? On our server teams, do your engineers look at the security configuration of their servers as a hurdle they have to overcome to deliver business services or do they see security as an enabler—the means to deliver not just function, but also trust and confidence? How many of us have looked through their users’ eyes at how they experience user access reviews to find a better way to stronger controls that also ensure that everyone does have the access they need?
As leaders, the choices we make, the attitudes we project, and the behaviors we portray speak volumes about the expectations of those around us. Leaders who disdain compliance have followers who do only the bare minimums to comply. If we are always chasing the shiny, new application or industry fad, our people will neglect the bread and butter activities of maintaining systems. Those basics are where we find a strong security posture. Solid patching practices, regular evaluation of vulnerabilities, current software and hardware, and attention to the details are the foundation of good information security. If we pay attention to these, we will create a culture that does the same.