Orientation and Focus

Improving your Security Culture.

The Orientation and Focus dimension is the eigth and last dimension of our Ruighaver/Maynard security culture model. The nature of the relationship between an organisation and its environment and whether or not an organisation assumes that it controls, or is controlled by, its external environment is an important aspect of both organisational culture as well as of security culture. An organisation may have an internal orientation (focusing on people and processes within the organisation) or external orientation (focusing on external constituents, customers, competitors and the environment), or have a combination of both.

The orientation and focus of an organisation's security will clearly depend on the environment in which the organisation operates. We found, unfortunately, that if an organisation is forced to conform to external audit and government requirements it will be likely that the emphasis of their risk management processes is only on meeting these requirements, and no longer on improving their security. The organisation often beliefs that meeting these requirements guarantees good security. Similarly, we found that many other organizations only aim to bring their IS security in line with international industry standards. Again the emphasis is often geared towards passing an audit to prove that they have achieved this goal, rather than on achieving the best security for the organization within the obvious limitations of resources and budget.

As security in an organisation is influenced by both external factors and internal needs, we believe that an ideal security culture has a balance between an internal and external focus. External requirements and industry standards can obviously not be ignored, but the external focus should at least also include an awareness of the organisation?s external security environment and how this changes over time. This will allow the organisation to pro-actively meet any new threats. More important, however, is that the organisation builds up an awareness of its internal security environment. If the organisation is not trying to identify what security breaches occur and why they occur, it will never know if its security strategies are working and how it can improve the implementation of these strategies.

Best web hosting
Affordable web hosting

Bumper stickers
Funny quotes