Culture change through incident response

An organization’s security culture in relation to information security determines how receptive employees will be to security initiatives.  Culture can make the difference between security that is embedded into the organization versus security that is simply an afterthought or even worse, ignored.

Security Culture

orporate culture, also known as organizational culture, is the invisible lifeblood of a company made up of the values, priorities, assumptions, and objectives of those within the organization.  Culture is formed through a series of successes that reinforce the underlying assumptions behind those successes.  Alternatively, failures diminish assumptions associated with the failure.  There are many actions an organization can take to being the process of instilling a culture of security.

It is hard to perceive corporate culture and even harder to manipulate it. However, the complex cultures of organizations can be revealed by conducting a cultural assessment.

It is important to remember that corporate culture is not something that can be altered overnight. It has evolved slowly over the lifetime of the company and has become firmly ingrained throughout the organization.  To change it successfully takes careful planning, strategic thinking, and constant reinforcement.

Case study: Seattle Children’s Hospital

A recent example at Seattle Children’s Hospital shows how the organization’s security culture was improved through incident response planning. In an interview with Information Week, Cris Ewell, Chief Information Officer for Seattle Children’s Hospital stated that employees have recognized that breaches will happen even with the best preventative measures now that they have implemented incident response plans.  They also realized that some incidents require outside help.   It is important to know who to contact ahead of time because time is precious following an incident.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

4 Comments

Leave a Reply