Case in point: Have you ever seen a job (opening) profile for a ‘first line’ position where awareness and active promotion towards staff of information security and privacy, was listed at all ..?
Now there’s two Buts [with not two but (sic) one T] you will inevitably come back to me with and I’m not even going to use <ol>:
1. “… But those are not even tasks of the first-line manager” – you see how wrong that is when I write it out for you. If your org doesn’t have infosec and privacy at the core of each and every first-line managers’ tasks, your org will not only be completely non-‘compliant’ with any standard or requirements [since these all have awa and control in the first few chapters that define what needs to be done; the simpleton rules in the back are always just examples to pick from] but will also fail big time as the vastly major part of your infosec / privacy will not be controlled and the outside attackers (act of man, acts of nature) will be.
2. “… But other ‘staff’ departments also don’t have their requirements in the job profile” – Yes they do. Nothing on ‘cooperative attitude’, ‘works well with people’ …!? Those are to-control requirements from the HR department or what ..? Managing budgets not a thing from Finance? To work within industry compliance requirements not being from Compliance ..? And the list goes on and on. But Infosec, or Privacy – not so much.
Now, if your organisation would care for infosec+ in a proper way and would actually want to do what needs to be done, the first 80% would be with … first-line ‘management’ to take execution into their realm. Which only happens if one hires the right people, that understand and execute along their job requirements. When there’s no infosec in those, nothing will be measured and only what gets measured, gets done [yeah, yeah, excepting the precious few shiny exceptions; those are Leaders not managers where of the former you have only a handful and of the latter a vast mass drowning out the former qua effectiveness].
QED
Now what ..? Well, obviously: Put infosec/privacy awa and control into each and every job profile / requirements. It’ll take some time [in which you can start to train current ‘managers’ in the frivolous art of], but then in some future your organisation will be the better for it. Now Go.
Oh wait! There’s ops risk too! For that, watch/listen to this short clip. The venerable mr Sidorenko gives most helpful pointers not only about the above (two minds thought in parallel ways) but also on actual, effective, implementation of both.
Better use an overall, integrated re-organisation of job descriptions. Aligning the above with all that has been collected [collectible, big-if one paid attention] over the past 5 or 6 decades of management studies and necessary improvements, that haven’t as yet indented any scratch into the, wholesale outdated, military-command-and-control style of management prevalent since WWII. But the latter has gotten outdated – the military (grand) strategies it was found to be effective for, have changed already (again) decades ago, and some military have changed, a bit, but not much. The new style of management should in a way revert to normal, to pre-Taylorían/Scientific-Management days – the better half thereof not the atrocious dictatorial half that was Industrial Revolution type extortion.
Then, from there, build a new management strategy. That fits with the current-day complex society, with complex interrelations of shifting panels of cooperating nucleï of near-cooperative efforts à la original theory of firm. That has been tried before, and failed due to premature [of the times] launch, but now stands a better chance than anything.
Where this leaves the incumbents … well, there’s places for them. Big-if (again) they’re flex enough to landslide to looser-coupled, less-controlled (!!, in a COSO sense), higher-risk structures. Think of the unsurpassed JK Galbraith in Organization Design: An Information Processing View of, yes, 1974! As here. Hey, the Man even has interesting notes on organisational response to the Internet that not many had heard of when he wrote [last page of] this. Has anyone ever done a proper analysis of the merits for today’s Questions, and/or gauge where org developments may have gone too far hence a backtrack on certain Galbraith’ian developments (after which, re-development in other directions ..!?) may be helpful?
Letting the original idea’lets get out of hand a bit, I’d better rest my case now, with:
[For no specific reason whatsoever, like instruction or so, from Bouchard Aîné Fils indeed hope they don’t mind the ©-thing]
2 thoughts on “Orgs don’t give a hoot about security [or privacy, or (ops) risk management]”