Nature of Time and Time Horizon

Improving your Security Culture.

The Nature of Time and Time Horizon is the second dimension of our Ruighaver/Maynard security culture model. The time horizon that an organization takes affects whether or not security managers and other organizational members involved in information security adopt long term planning and goal setting, or focus primarily on the here-and-now.

Unfortunately, few organizations have long-term goals in information security and those that have seldom look beyond a time frame of one or two years. Further more, these goals are in most cases only aimed at the building of a solid security infrastructure in line with International Security Standards. To be fair to those organizations, there is almost no discussion in information security literature on possible long-term strategies. And security standards also offer little assistance.

To develop a high-quality security culture, organizations will need to place more emphasis on long-term commitment and strategic management. All too often the security focus of an organization is on things demanding immediate attention, not on the things that may prove more important in the long run. And when they finally run into problems because their current security approach is no longer adequate and becomes too expensive to maintain, such organizations often will initiate a completely overhaul of their existing information security infrastructure and decision making processes, throwing away the good with the bad. Again literature on information security does not contain advice on how to restructure security management and governance structures.

Long Term planning

In our view, any organization that would like to start increasing its investment in Information Security, by initiating a restructuring of their security management and governance structures, should first consider what long-term strategies and plans can or should be developed and by whom. For instance, without a long-term strategy aimed at building up appropriate skill-sets related to security, any restructuring will eventually fail. The environment in which the organization's information systems are operating is simply changing too rapidly for an organization's information security to survive if the necessary skill sets are missing. Similar strategies are needed for knowledge management, as the complexity of the Information Systems and other IT infrastructure is continuously increasing as well.

The main theme of this section of our web site is, of course, the need to aligning the security of an organization with its organizational culture. Hence it will not come as a surprise that, in our view, the most important long term strategy to be developed by an organization that wants to improve its Information security should be aimed at aligning the organization's security practices and procedure with its organizational culture. An obvious example is that traditional security is still based on the implementation of restrictive practices and procedures that minimize risks. Organizational culture is often the opposite: In their normal work environment employees are given specific goals and targets they need to achieve and are often allowed, or even actively encouraged, to bypass standard procedures and guidelines when necessary to reach those targets. If your organizational culture encourages such behavior, why do you think these employees will not behave the same when they are restricted by your organization's security procedures and guidelines? Hence, if this is your organization's culture, your organization will need to develop long term strategies aimed at increasing the involvement of employees in information security and at finding, introducing and fine-tuning targeted security related objectives and goals for each of your employees. As in their daily work environment, these security related goals and targets are necessary to encourage them to improve their behavior and reduce security risks.