Tone Resonates Throughout an Organization: Be Sure It’s the Right Note

Policies are written.  Processes documented and implemented.  Layered controls in place.  Employees trained.  Hmmm.  Looks like we’ve covered everything necessary to keep our enterprise secure… well maybe not everything.  There’s still that small problem of lack of actual executive office support.

I don’t think you’ll find many executives who will tell you security isn’t important.  In fact, to say so publicly would be just plain dumb.  However, what they say and what they do might be two different things.  And the most important thing they should do is provide more than “lip service” to security programs.  When executives say the right things and act in ways which show clear support for security, then they are setting the right tone for the organization. 

Management behavior should coincide with the culture it tries to form; managers fulfill an example function.

The heart of every organization is its employees—their individual integrity, values, competence and work environment.  Tone at the top is a critical influence on this.

Source: Tone at the Top is Vital!, Christine Bruinsma and Peter Wemmenhove, ISACA Journal, v3 2009, pp. 39-42.

Tone at the top includes not only speech, but also action.  All employees, from senior management down to the newest clerk, must understand what is and is not acceptable behavior.  In addition, they must understand the consequences for not following secure practices, including the expectation of swift but fair sanctions.

In too many organizations, management doesn’t have the will to impose sanctions on employees who don’t follow established processes, taking shortcuts to achieve desired outcomes.  Achieving outcomes in this way moves the business forward, but at what cost?  The negative business impact of this type of behavior is often not evident until a data breach, a failed audit, or some other serious security incident occurs.

There are also too many instances in which a double-standard exists within an organization, with security controls applied differently based on a person’s perceived importance.  The double-standard is often based on the assumption—an assumption made by the affected parties—that managers above a certain level are too responsible to make the mistakes of common employees or managers.  In other words, the tone coming from the top is “do as I say, not as I do.”

Finally, the wrong tone is sometimes set by meeting comments which indicate less than full support for security controls.  These comments are often intended as comic relief, but over time they can weaken the effectiveness of efforts to safeguard the organization.

Once senior management signs off on a security program, they must support it openly and unequivocally.  Department heads and their management teams must understand that security expectations are not just an IS or Security problem.  Rather, they are also the expectations of senior management.  Building this perspective should begin with new hire orientation and continue via awareness programs and appropriate supportive comments during business meetings.

I’m lucky to work for an organization where senior management “gets it.”  Because of their support, achieving HIPAA and SOX compliance was not an IS or Security responsibility.  It was a business responsibility with clearly stated executive expectations.  Compliance was reached through collaboration of teams across the organization.  It worked because senior management said it must.  The tone was set and managers/employees fell in line.  Continued compliance exists because support for doing the right thing has never wavered.