BOOK REVIEW: Creating a Culture of Security by Steven J. Ross, ISBN 9781604201833, ISACA
I've known Steve Ross for over 20 years and so it was especially gratifying to receive his note when he published his new book, Creating a Culture of Security.
This book comes none too soon for an experienced practitioner like myself who has long believed that the culture of an organization can be the single most important factor ultimately influencing the success or failure of an information security program.
As a consulting manager in a large accounting firm (we were one of the "big eight") years ago I realized that the issue of culture was not one easily raised with clients. It was almost impossible to raise with partners.
The issue was simply considered "too touchy-feely" to be discussed alongside serious matters like audit findings. But when I think about my early years in information security, almost all of the great stories are about culture.
One example: I was brought in by the audit side to help complete the audit report for a leading Fortune 50 healthcare company. The issue of information security had been raised and the audit partner asked me to review the report and comment.
During the review, it was noted by the audit senior that RACF (resource access control facility - the premier IBM product for controlling access to data in a mainframe environment) had been installed.
I asked the partner if I could do a little bit of additional data gathering. I simply asked the audit senior to tell me the runtime parameters for RACF. When we finished gathering this data for multiple mainframe instances, it became clear that while they had certainly purchased and installed RACF and the environment, the client simply had not turned it on for day-to-day operations.
It emerged that RACF was purchased (at a cost of well over $1 million) because senior management was reacting to an earlier audit report that insisted that RACF be used in the environment for information security. However, the culture of the company and their IT department in specific was one of "let's see if we can get away with malicious compliance."
The audit senior and I determined that the question of whether or not to turn RACF on was never actually considered in any memorandum or project report or service ticket. The fact that it was not turned on went unreported at any level of management. Plain and simple, this was a cultural issue - an issue that trumped a major capital investment. The book is replete with anecdotes with which most experienced readers will identify all too painfully.
Information security practitioners tend to look for "bright shiny objects" and focus on those as the centerpiece of their information security programs. Often, training is an afterthought and awareness is relegated to "lunch and learn" status. Ross does an excellent job of covering the benefits of a positive - or one might say constructive - security culture and the penalties of enduring a negative security culture.
Book sections deal with specific messaging about security in ways that help avoid the security as traffic cop and other negative stereotypes. Also covered are emerging issues such as "security" not always residing within the information security department but often found dispersed in many different parts of a typical organization.
Thus, practitioners across the full spectrum of information security functional knowledge and maturity will find much in this book to help them see their own programs and their own organizational situations in a new and fresh perspective.
Even if you disagree with some of Ross' statements about security culture, he presents them in such a concise and meaningful way that there is abundant food for thought as you deal with issues of culture and your own information security program within your own organization.
As with much of information security, effective practice is not an exact science... You may take a different approach from Steve Ross concerning your own culture and how to deal with security within that culture but you'll be able to say "my analysis of the culture based on Ross' constructs leads to a different conclusion."
Ross includes some wonderful quotes including one of my favorites on the subject of risk: "risk is the gray area between the clearly foolish and the clearly acceptable risk." I was immediately reminded of some of my own research on information risk management regarding the highly personal aspect of risk. Ross puts this in the context of the organization.
For example, ask yourself, Could any other company besides Apple wisely conclude that the research investment necessary to develop the iPhone was an acceptable risk to take? Conclusion: some companies should take certain risks while other companies should avoid taking the very same risk. Infosec doctrine does virtually nothing to address this issue.
Culture turns out to be a huge determinant of risk assessment. With professional discussion of information risk somewhat chaotic today, Ross' book helped me see this from a fresh perspective and this alone was worth the price of the book (full disclosure: the book can be downloaded for free by members from the ISACA bookstore and is available for purchase for $50 by nonmembers).
How many of you can say that the company culture is part of your information security risk management process today? Maybe it should be.
The final section of Ross' book, "Positive Reinforcement", is a treasure trove of insight into how to improve the outcomes and the cultural alignment of your information security program this section will be well thumbed and never far from the desk of any newly minted CISO.
One could argue that ISACA and the Infosec community in general have been a little slow on the uptake when it comes to the importance of culture not only in the analysis and mitigation of information risk but in IT governance in general.
The topic is barely touched on in CGEIT (Certification in the Governance of Enterprise IT) literature and I hope that ISACA's publication of Steve Ross' new book signals openness to taking a fresh look at culture as important body-of-knowledge programs evolve.
I wholeheartedly recommend reading this book for any senior practitioner in information security, risk management, or even IT auditing to gain an important perspective on how the culture of a company specifically effects the success of the information security program.
Cross-posted on CISSPFORUM, a membership forum open to CISSPs only