Nature of Time and Time Horizon

Improving your Security Culture.

The Nature of Time and Time Horizon is the second dimension of our Ruighaver/Maynard security culture model. The time horizon that an organisation takes affects whether or not security managers and other organizational members involved in information security adopt long term planning and goal setting, or focus primarily on the here-and-now.

Unfortunately, few organisations have long-term goals in information security and those that have seldom look beyond a time frame of one or two years. Further more, these goals are in most cases only aimed at the building of a solid security infrastructure in line with International Security Standards. To be fair to those organisations, there is almost no discussion in information security literature on possible long-term strategies and security standards also often little assistance.

To develop a high-quality security culture, organisations will need to place more emphasis on long-term commitment and strategic management. All too often the security focus of an organisation is on things demanding immediate attention, not on the things that may prove more important in the long run. And when they finally run into problems because their current security approach is no longer adequate and becomes too expensive to maintain, such organisations often will initiate a completely overhaul of their existing information security infrastructure and decision making processes, throwing away the good with the bad. Again literature on information security does not contain advice on how to restructure security management and governance structures.

Long Term planning

In our view, any organisation that would like to start increasing its investment in Information Security, by initiating a restructuring of their security management and governance structures, should first consider what long-term strategies and plans can or should be developed and by whom. For instance, without a long-term strategy aimed at building up appropriate skill-sets related to security, any restructuring will eventually fail. The environment in which the organisation's information systems are operating is simply changing too rapidly for an organisation's information security to survive if the necessary skill sets are missing. Similar strategies are needed for knowledge management, as the complexity of the Information Systems and other IT infrastructure is continously increasing as well.

The main theme of this web site is, of course, the need to aligning the security of an organisation with its organisational culture. Hence it will not come as a surprise that, in our view, the most important long term strategy to be developed by an organisation that wants to improve its Information security should be aimed at aligning the organisation?s security practices and procedure with its organisational culture. An obvious example is that traditional security is still based on the implementation of restrictive practices and procedures that minimize risks. Organisational culture is often the opposite: In their normal work environment employees are given specific goals and targets they need to achieve and are often allowed, or even actively encouraged, to bypass standard procedures and guidelines when necessary to reach those targets. If your organisational culture encourages such behaviour, why do you think these employees will not behave the same when they are restricted by your organisation's security procedures and guidelines? Hence, if this is your organisation's culture, your organisation will need to develop long term strategies aimed at increasing the involvement of employees in information security and at finding, introducing and fine-tuning targeted security related objectives and goals for each of your employees. As in their daily work environment, these security related goals and targets are necessary to encourage them to improve their behaviour and reduce security risks.