Organizational Security Plan and Culture

Organizational Behavior Organizational security reflects the need to protect the organization against theft, cybercrime, and other instances of criminal activity that can undermine a business' profitability, or in some cases even its viability. From cases like the Max Vision hacking case with CapitalOne (Poulsen, 2010) to cases of inside job theft at hotels (Partridge, 2014), there are many internal and external risks that an organization faces. Managing these risks is often thought to simply be the duty of security teams, but that is not at all the case.

A cybersecurity team can handle the technical aspect of security, for example, but an employee not protecting a key password can be a bigger breach than anything embedded in the software. Organizational security is, ultimately, everybody's job, and optimizing organizational security is therefore something that should be embedded in the organizational culture. Cultures emerge in organizations, but managers and leaders within the organization can influence the development of organizational cultures (Cooke & Rousseau, 1988).

Leaders both formal and informal have the ability to cast influence over behavior through their words and actions, while managers have tools at their disposal in the form of the proverbial carrots and sticks to influence the behavior of people within the organization. As such, there is a link between how a culture develops, what management does to encourage the development of culture in specific ways, and the outcome behaviors of the organization.

When those behaviors are strongly oriented towards defending the security of the organization, organizational security risk will be lower. Sanctions are one means by which managers influence behavior in an organization, as they have the ability to punish people for poor security behaviors. Guo (2013) notes, however, that there is rather inconclusive evidence about the efficacy of sanctions in motivating behavior. This calls to question whether ad hoc punishment approaches are truly going to be effective.

Moreover, one breach can cost a company millions, so any punishment after the fact could ultimately be pointless as the damage has already been done. The lesson from this is that organizational culture and behavior need to be proactive where security is concerned, in order to be most effective. The organizational security plan therefore needs to build in training and motivation at the proactive level in order to be effective. The first component, training, is required, to help employees understand the issues.

Building a security culture at an organization where none has previously existed should be seen as an organizational change endeavor -- without this view, the inertia of the status quo could scuttle any attempts to change or alter behavior within the organization. Thus, education and training forms the first part of the organizational security plan, because employees need to understand the risks, why these risks are greater today than they once were, and the role that each person plays in mitigating these risks.

This is, in essence, creating the crisis that creates readiness in the organization for change (Armenakis, Harris & Mossholder, 1993). The second component of the organizational security plan involves leadership. Leadership buy-in is critical to any organnziational change effort. Leaders often fall into the trap of assuming the security is for security specialists, when the reality is that the leaders in an organization are the best targets for hackers, for example. Leaders have access to substantial information, and can be complacent about security, assuming that their security people have it covered.

The reality is that the leaders need to be treated like everybody else in the organization -- they need to be motivated about security, trained on proper behaviors, and then they need to become the vanguards for the change process. They can be effective in this role because this is one area where organizational leaders can genuinely relate to the rank-and-file, as having had to learn about the need for security behaviors. That represents substantial opportunity for leaders to influence organizational behavior.

The third component is the specific training and building in that training to things like job descriptions and job evaluations. The employees need to know exactly what is expected of them. Then, they need to know what the consequences of poor security behaviors are, and what the rewards are for developing ways to enhance organizational security. Initially, no punishment will be handed out for poor security behavior, because it is preferred that employees help each to improve their security behaviors.

That means that people whose behaviors are identified as poor will be identified and coached, rather than punished, as positive motivation is seen as being more consistently effective for building security awareness and behaviors. The fourth aspect is the information campaign, which will be ongoing. Organizational security is an ongoing effort, and will require behavioral changes as technology changes. Many aspects of organizational security today did not exist ten or fifteen years ago.

Thus, the information campaign needs to be spread out over time, and money budgeted for these internal communications. They will highlight risks, incidents and responses, new.