Control, Coordination and Responsibility
Improving your Security Culture.
The seventh dimension of our Ruighaver/Maynard security culture model is Control, Coordination and Responsibility. This dimension of an organisation's security culture is clearly related to the security governance in that organisation. Where control is tight, there will often be formalised rules and procedures that are set by a few, to guide the behaviour of the majority. The need for governance is limited. Where control is loose, we expect flexibility and autonomy of workers, with fewer rules or formal procedures and shared decision-making. It is that shared decision making that depends on high quality security strategies and a well developed security strategic context.
An organisation with centralised decision making tends to have a tight control. Tight control allows for efficient security management but reduces the flexibility of the organisation to respond to the current dynamic environment of Information Security. Literature suggests that even where there are mechanisms of control and formalization within a centralised organization, a culture of fear, uncertainty and loose control may result in these control mechanisms such as policies, rules and procedures becoming dysfunctional. We have only investigated a few organisations with centralised decision making and have not encountered that situation ourself.
Loose control in security needs better governance.
To cope with the current dynamic business environment, most organisations have opted for a more flexible decentralised decision making structure. While those organisations are likely to have a loose control, change management processes may still influence how loose the control actually is.
It should be obvious by now how important it is that an organisation's security culture is aligned with organisational culture. So a tight control of security in an otherwise loosely controlled organisation is not likely to work very well. It is, therefore, surprising that most often organisations still attempt to keep a tight control on their security. We believe, that this is a direct result of the current lack of guidelines for adequate security governance at the middle management level in both literature and the current security standards. If an organisation did not develop a proper security strategic context, loose control of security will simply not work.
Loose control also increases the importance of coordination. As discussed under motivation, improving the horizontal social participation in an organisation can be an important tool in improving coordination
Responsibility needs accountability.
Independent of whether there is a tight control or a loose control, clear guidelines on who has decision rights in the different areas of security and when is essential. This aspect is often called responsibility and ensuring that all responsibilities have been assigned is a required feature in any strategic security policy. It should be realised, however, that having responsibility and feeling responsible (see orientation to work) are two different issues. Additionally, the delegation of responsibility to employees does not preclude the need for top management support. Top management support for information security is a significant predictor of both the direction of an organization's security culture and the level to which its security policies are enforced. Therefore, whereas operational responsibility and accountability may lie with middle management and end-users, top management has a clear responsibility to:
With responsibility comes accountability. We believe that most security cultures are still inadequate in how that organisation handles accountability for decisions in security management. Lack of even the most simple accountability processes, such as simple feedback loops where decisions are discussed with higher levels of management, seems to be a fairly common occurrence.
