Culture change through incident response

5 years ago
Eric Vanderburg

An organization’s security culture in relation to information security determines how receptive employees will be to security initiatives.  Culture can make the difference between security that is embedded into the organization versus security that is simply an afterthought or even worse, ignored.

Security Culture

orporate culture, also known as organizational culture, is the invisible lifeblood of a company made up of the values, priorities, assumptions, and objectives of those within the organization.  Culture is formed through a series of successes that reinforce the underlying assumptions behind those successes.  Alternatively, failures diminish assumptions associated with the failure.  There are many actions an organization can take to being the process of instilling a culture of security.

It is hard to perceive corporate culture and even harder to manipulate it. However, the complex cultures of organizations can be revealed by conducting a cultural assessment.

It is important to remember that corporate culture is not something that can be altered overnight. It has evolved slowly over the lifetime of the company and has become firmly ingrained throughout the organization.  To change it successfully takes careful planning, strategic thinking, and constant reinforcement.

Case study: Seattle Children’s Hospital

A recent example at Seattle Children’s Hospital shows how the organization’s security culture was improved through incident response planning. In an interview with Information Week, Cris Ewell, Chief Information Officer for Seattle Children’s Hospital stated that employees have recognized that breaches will happen even with the best preventative measures now that they have implemented incident response plans.  They also realized that some incidents require outside help.   It is important to know who to contact ahead of time because time is precious following an incident.