By now you may have begun to see how the classifi cation system based on vertical, horizontal, and blended archetypes can inform the design and implementation of security policies and practices. Th e linking process is shown in Figure 8.6.
Th e more vertical the organization, the more top–down its dynamics and the more employee behavior can be infl uenced by demands for compliance.
As organizations become more fl at and horizontal, the drivers of behavior are more varied and include customer and peer infl uences. Th e business case for behavior becomes more important than compliance when change is implemented in fl atter organizations. How people defi ne value is driven more by customer needs and actual impact on operations than by how much superiors approve.
Management effectiveness Low High Suboptimal organization effectiveness Optimal organization effectiveness High Suboptimal organization effectiveness Suboptimal organization effectiveness Alignment
Figure 8.5 Optimal culture—Management alignment.
CRC_AU6708_Ch008.indd 127
A characteristic of fl at organizations that fl ies in the face of many people’s fundamental assumptions about the workplace is that the most knowledge about what must be done to meet customer needs and advance business objectives resides in the lower levels of the company rather than only at the top. Many in the workplace are comfortable with the assumption that the more senior the persons are the more they know. Of course, when information is managed on a very strict need-to-know basis this is often true, because low-level people are not asked to clutter their thinking with real business knowledge, so it is kept from them.
If the contract that an individual accepted along with employment calls for appropriate depen- dence (vertical archetype), people are less likely to resist security controls. If the vertical organi- zation is led by a truly caring leader, resistance is even less likely because such a person will be assumed to have the best interests of the business and of the people in mind when creating and applying policy.
In vertical organizations people feel powerful because they hold titles, have inside information, and have strong relationships with others who also hold titled positions. In fl atter organizations people feel powerful because the feedback they get tells them that they are having the desired impact on customer satisfaction and are working well with teammates. Th ese are nothing more or less than diff erent defi nitions of competence. Th e strategies that a security program chooses must recognize this sort of fact. Consider this example of how diff erent types of organizations can respond to a common threat to security—social engineering.
Recognition of the social engineering threat includes acceptance of the fact that this is one of the most diffi cult threats to reduce, because both the threat and the solution involve infl uencing human behavior. Let us assume that the cultural archetype in this organization is blended, so we may infer that behavior is infl uenced both by strong leadership and by customer needs. Th e archetype also suggests that our eff orts will be positively infl uenced by eff ective performance management and employee relations practices. Let us say that our organization is fairly typical in that performance evaluations are done on an annual basis by direct supervisors who may or may not have input from customers and peers of subordinates. Further let us assume that our employee-relations practices are focused on reducing risk to the organization, as is the case in most organizations today. Of course there are likely to be other factors, but let us focus on these for purposes of explanation.
Formal written policy is organization law. For our security policy with regard to social engi- neering to have weight it will have to be visibly blessed by top management. Th e policy should also defi ne infractions as well as including a general description of administrative consequences for violations of the policy, so its language must be coordinated with the human resources offi ce as well as legal counsel.
If there are administrative consequences for infractions, there must be some method of enforce- ment implemented and publicized to deter policy violations. If we believe that our perimeter
Threat Archetype Analysis of salient factors Vertical Blended Horizontal
Top management decree + training + punishment
Top management decree + training + punishment + communication
Idea mining + education + high touch communication
Options
Security Strategies 䡲 129
security is weak because people are frequently allowing “tailgating” by strangers, we might install video surveillance at the entrances both as a deterrent and to capture a record of infractions.
We might also implement training to ensure that everyone in the organization understands both the nature and the threat of social engineering, because the phrase is not self-explanatory. Initially this training will have to be done across the population and the best method might be a video- or computer-based approach that ensures access to the information but does not place great demand on people’s time. Media materials in support of this policy should include the image and voice of top management to lend credibility to the messages. In our organization, policy and training language should also include information about impact on the customer experience and company profi tability (especially important if employees have an ownership stake in the company). For ongoing training the introduction to security policy and practices should be a part of formal and informal new-hire orientation.
If we were addressing this threat in a horizontal organization, our approach would be diff erent. Our focus at the outset would be on developing ideas from among the employee population about how the threat can be addressed by policy and practices. Th e responsibility for enforcement would be distributed among the population and education about this part of role expectations would be “high touch” rather than “high tech” and directly involve the most senior managers in the orga- nization. Discussion of security threats of all kinds would include metrics that describe the impact of breaches in business terms. Th e extent to which people at various levels in the organization are directly involved in strategy and program development varies with cultural archetype as is shown in Figure 8.7.
You may be able to see from our example that understanding the culture in terms of the most positive aspects of the archetype logically leads to workable strategy. Th e archetype also discourages the endless analysis of culture that can come from inclusion of every idio- syncrasy of a physical or social behavioral nature in a description of culture. Th e principles underlying the archetypes give you a solid foundation upon which to base policy and practice recommendations.
Direct Employee Involvement A r c h e t y p e Vertical High Horizontal Low
Figure 8.7 Employee involvement by archetype.
CRC_AU6708_Ch008.indd 129