Orientation and Focus

Improving your Security Culture.

The Orientation and Focus dimension is the eighth and last dimension of our Ruighaver/Maynard security culture model. The nature of the relationship between an organization and its environment and whether or not an organization assumes that it controls, or is controlled by, its external environment is an important aspect of both organizational culture as well as of security culture. An organization may have an internal orientation (focusing on people and processes within the organization) or external orientation (focusing on external constituents, customers, competitors and the environment), or have a combination of both.

The orientation and focus of an organization's security will clearly depend on the environment in which the organization operates. We found, unfortunately, that if an organization is forced to conform to external audit and government requirements it will be likely that the emphasis of their risk management processes is only on meeting these requirements, and no longer on improving their security. The organization often beliefs that meeting these requirements guarantees good security. Similarly, we found that many other organizations only aim to bring their IS security in line with international industry standards. Again the emphasis is often geared towards passing an audit to prove that they have achieved this goal, rather than on achieving the best security for the organization within the obvious limitations of resources and budget.

As security in an organization is influenced by both external factors and internal needs, we believe that an ideal security culture has a balance between an internal and external focus. External requirements and industry standards can obviously not be ignored, but the external focus should at least also include an awareness of the organization's external security environment and how this changes over time. This will allow the organization to pro-actively meet any new threats. More important, however, is that the organization builds up an awareness of its internal security environment. If the organization is not trying to identify what security breaches occur and why they occur, it will never know if its security strategies are working and how it can improve the implementation of these strategies.