A while back, I published a white paper on security culture. An organization’s culture in relation to information security determines how receptive employees will be to security initiatives. Culture can make the difference between security that is embedded into the organization versus security that is simply an afterthought or even worse, ignored.
Culture is formed through a series of successes that reinforce the underlying assumptions behind those successes. Alternatively, failures diminish assumptions associated with the failure. There are many actions an organization can take to being the process of instilling a culture of security. A recent example at Seattle Children’s Hospital shows how the organization’s security culture was improved through incident response planning.
In an interview with Information Week, Cris Ewell, Chief Information Officer for Seattle Children’s Hospital stated that employees have recognized that breaches will happen even with the best preventative measures now that they have implemented incident response plans. They also realized that some incidents require outside help. It is important to know who to contact ahead of time because time is precious following an incident.