The Impact of Organizational Culture on the Development of an Information Security Program

The Impact of Organizational Culture on the Development of an Information Security Program

As information security professionals, it is our job to assess, manage, and monitor risk. But what happens when organizations don't acknowledge risk? In this blog post, I am going to focus on the crippling effects of the lack of senior management buy-in as well as end-user push back to the creation and development of an information security program.

As organizations grow increasingly dependent on technology, there is an inherent necessity for information security and data privacy. Some organizations have mature security postures while others lack an information security program altogether. Information security professionals brought into the latter situation will require time and patience to evoke even minimal changes. Senior management's support is crucial.

When I interviewed for my first information security job, I was asked questions about my education and experience by the CIO and IT Director. During the interview, I was told that I would be providing end-user support as well as focusing on information security. I was ecstatic because I was currently enrolled in a graduate program and set to graduate with a Master's in Information Security Management in a few months. I would have the ability to apply everything that I was learning about.

I had a variety of responsibilities including IAM, IT support, networking, and system administration. I was also tasked with developing an information security program from the ground up. I reported directly to the IT Director who had approximately 20 years of experience in IT, but did not specialize in information security. I was overwhelmed but determined and motivated to bring about change. I learned about the business units, their processes, and the applications and programs that they depended on. I asked to see the organization's information security policies. There were none. I began writing information security policies that were tailored to the organization. I wrote approximately thirty policies and presented them to the IT Director. I still don't think he's read through them all.

I had my own office, which was filled with manila folders. These manila folders had the names of each computer in the office along with the names of the programs installed on each. To say I was taken aback was an understatement. However, there was only one person in the IT department. I understood why it probably wasn't a priority. I began building an asset management database to replace the archaic and inefficient use of the manila folders.

It was clear that there was no asset management. That meant that there was no patch management, which meant that there was no vulnerability management. A penetration test was never performed. There was no incident response plan. There were no business continuity and disaster recovery plans. At least they were using an MSP for backups and business continuity.

It should not be surprising that there was no information security awareness and training program. I began developing an information security program that focused on best security practices, social engineering (i.e. vishing/phishing) and security incident reporting. The security training I provided fell upon deaf ears. I walked by the CIO's office every day and her computer was usually unlocked. What made matters worse was that she had Domain Administrator privileges, as did the IT Director. I voiced my concerns about using an account with Domain Admin privileges for every day tasks that didn't require them. I still think the IT Director uses it though.

I felt like my coworkers hated me. They never had to lock their computers before because no one cared. They would tell me how "strict" I was. They would characterize me as some information security tyrant whose job was only to make their lives more difficult. The information security program I had worked so hard to develop was being met with disdain and disapproval. The organizational culture was clashing with my endeavors. It was frustrating, but I tried not to take it personally.

I decided to write a proposal to attain a budget for information security. I spent months communicating with dozens of vendors. I sat through hours of demonstrations.  I inquired about retainers for incident response and forensics capabilities. I also got quotes from various different companies for penetration tests. I created a cost-benefit analysis for each information security control. I was really pushing for asset management, patch management and vulnerability management tools and solutions.

I presented the proposal to the CEO and his response was, "How do I know you're not going to keep asking for more money to buy new controls?" The CFO stated,  "This is the way that we have always done things and we've been fine." I guess you can predict how this story ends at this point. I never got the security budget. I never felt like I really had a chance to develop an effective information security program. I was just there to check boxes. As long as the organization was "compliant" it was sun shine and rainbows. Well, I am here to tell you that compliance does not and will not ever equal security.

Sometimes you can't convince senior management that information security is a business risk. Some C-level executives recognize the importance of information security. Some view information security as a cost center with no return on investment. I created the blueprint for an information security program, but unfortunately there was no foundation to continue development.

If you enjoyed this blog, please buy me a coffee.

Show Comments