Welcome to the SecAware blog

I spy with my beady eye ...

11 Jun 2015

Culture metrics

Over on Entrepreneur e-zine, serial company founder Greg Besner recommends the following ten metrics concerning organization's culture
  1. Communication
  2. Innovation
  3. Agility
  4. Wellness
  5. Environment
  6. Collaboration
  7. Support
  8. Performance focus
  9. Responsibility
  10. Mission and value alignment
OK, but why did he pick those ten parameters to measure over all the others? What makes them special?

In the article, Greg briefly explains his ten metrics in terms that make it clear why he thinks they are important. The trouble is, with just a moment's thought, I can easily come up with another ten, complete with my reasons for measuring them ... and I guess you too could come up with your self-justified list of ten culture metrics ... and so could anyone else with enough interest and expertise in this area ...

I guess right now you are puzzling over Greg's list, wondering about mine, and thinking about what else might be measured. Furthermore, I bet you are forming opinions about 'culture metrics' swimming around in your head, liking some, disliking others ... 

... and yet we haven't even attempted to reach agreement on a definition of "culture" at this point.

Ah, oh, yes.

And furthermore, who said there had to be ten anyway? What's wrong with one, or three, or fifty seven?

My point is that it's arbitrary. My choice of metrics - their number and their nature - almost certainly differs materially from yours. Both of us can justify our choices. Greg might feel compelled to defend his choice of ten. Given sufficient spare time and an ample supply of our favorite beverages, I'm sure we could have discussed cultural metrics for hours between us but somehow I doubt we would reach a consensus, for various reasons, not the least of which is that, in regard to metrics, context matters. The cultural metrics that suit, say, a hi-tech start-up are likely to be different to those chosen by a government department, or an oil company, or a school.  Any one of those organizations may choose different cultural metrics as it matures. Things that happen to be in vogue today may well change tomorrow, next week, next year or whatever (remember Peters & Waterman's "In search of Excellence"? For a while, we obsessed about the characteristics that the book identified in excellent companies, but before long we realized there were many other important parameters too, and even Tom himself backtracked in his later books).

7 Jun 2015

Privacy awareness materials available

The rough topic area having been determined some weeks earlier, a key task for us at the start of each month is to finalize both the scope and the purpose of the next information security awareness module. 
The scope is a natural outcome of our research on the topic: despite having covered most topics before, we invariably find interesting new angles and end up writing brand new content.  When we last covered the privacy topic back in 2012, we focused on compliance and espionage.  This time around, the materials mention compliance (of course!) but emphasize other aspects such as governance, respect and trust.
The purpose of the awareness module is crystallized as a set of 'learning objectives' specifying what we hope our customers' audiences will get out of the materials:
  • Inform employees about privacy concepts and their obligations, emphasizing the personal perspective (e.g. picturing themselves both as the cause and the victim of privacy breaches);
  • Outline recent privacy breaches from the news, highlighting both personal and corporate impacts;
  • Explain the associated risks and promote the corresponding controls, including aspects such as policies and procedures, informed consent, enforced notification of breaches Safe Harbor, data accuracy and secure disposal;
  • Discuss but go beyond legal and regulatory compliance, particularly for the management audience (emphasizing the governance aspects);
  • Encourage professionals to support the organization’s privacy framework through technological controls such as access controls and encryption, and point out the privacy issues arising from network/system monitoring and surveillance.
Find out more about our take on privacy awareness here.

Gary (Gary@isect.com)