Perimeter
7/9/2012
11:54 AM
50%
50%

Being Compliant Is Not Only Training And Rules, It's Culture

Too many organizations teach compliance instead of live it

In high school, we all took the basics: language, math, and science. Now that a few years have passed (OK, more than a few for some of us), who could pass the final exams in those classes right now? Probably very few. Education fades from our memory unless regularly reinforced. But education and training alone are not enough. The habits we develop determine and drive what we are good at.

Just like individuals, organizations have habits as well -- cultural habits. Ever go to a restaurant with several horrible waiters? Odds are there were no great waiters in the place; the standard of service is simply not very high. It is likely that great waiters who happen to get hired will eventually either leave or become lazy waiters themselves.

If your colleagues are slack about security and compliance, then you are more likely to be slack about it as well. You may even be encouraged to be slack: “Hey, don’t spend time documenting that security process right now. We all know our data is safe, and I need your help on this other deadline.”

Maybe the data is safe that particular day. But what about the future, when months and months of skipped documentation leads to lost knowledge? Time passes, systems change, and staff leaves. Without regular reinforcement, the “things we all know” become a collection of “things we used to know.” Infrequent training alone can never fill this gap. Even frequent training, if not reinforced by your company culture, will be pointless.

As social creatures, most of us want to “just get along.” We can be conflict-averse and prefer to keep a low profile instead of speaking up for important processes if they are contrary to the work culture. After all, who wants to be a tattletale in a noncompliant culture?

I find restaurants with great wait staffs clearly spend a lot of time, and therefore money and time, training their staffs. But they also make a point to only keep staff that fits the culture of excellence. (If you damage our service reputation, then you can’t stay.) As time passes, the culture of service is ingrained and normal, not just an overhyped lesson from sporadic class instruction.

Likewise, I see great business organizations operating the same way. Training and rules are not the be-all, end-all for security and compliance. Rather, training and rules are used to provide the framework and support for excellence. Skimping on security and compliance efforts does more than break rules; it breaks cultural norms.

Show me a business with a strong compliance culture, and I’ll show you a business with a strong sense of purpose, service, and valued teamwork.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand the often hidden risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.