This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.
Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":
"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important.
To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."
Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.
For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy.
In a disciplinary situation, management's failure to enforce compliance with any policy (by themselves or others) might be a viable defence for a worker accused of policy noncompliance. Aside from those that are literally unworkable and unenforceable, an unenforced policy can be a liability, a risk at least.
One way to address this issue is to separate out and bolster the compliance, oversight and assurance activities. It is perfectly reasonable to expect and require managers to comply fully with the organisation's policies and directives, otherwise why would they mandate them? Therefore, there should be suitable processes in place to identify and deal with noncompliance by anyone, not least management. Putting such arrangements in place is a governance activity.
Another complementary approach is for management to avoid formalising policies that they don't truly support. If they aren't willing to 'walk the talk', it is unreasonable for them to insist that workers comply. Being role models is an important part of leadership and governance.
A third technique is for management to think-through the compliance, and assurance aspects when formulating policies, documenting them either within the policies themselves or in separate policies on accountability, compliance, monitoring and assurance - which is the approach we've taken with our policy templates and accompanying security awareness materials.
And so our cunning plan falls into place. Policies are merely Lego bricks in a bigger governance structure.