Taming the Rebels Without Roles

Every time I see the movie “Rebel Without a Cause” I think what James Dean’s character would end up like when he went into the workforce. And I wonder how long he would last at most financial institutions.

Do you, as a information security professional feel like you’re surrounded by rebels at your institution? Are some of them in your senior management? Well, those rebels and everyone else in your institution are the ones you’ll be forced to tame to make your institution “policy central” and compliant with the slew of regulatory guidance citing information security training for all employees must be a part of your information security program.

To create that “security culture” we all crave, there are three things you’ll want to start with:

1. When you create your awareness and training program, ensure that it ties directly into the intrinsic value of being compliant with the regulations. Don’t assume that your awareness trainees know what compliance requires, or that they only want to know “exactly how to be in compliance.” Try to lay out the reasons why the institution is asking them to behave in a certain way, and you’ll see more acceptance from your employees.

2. When in doubt, draw it out. Make it clear where the institution’s boundaries of roles and responsibilities are when it comes to information security. Accountability for each employee in their respective roles, followed through and checked on via job performance reviews, internal audits, and other ways ensures that your employees are doing what they’re supposed to in their assigned jobs. Make information security, at least the reporting of any and all incidents, a part of all employees’ job responsibilities. Write it into your policies that all incidents must be reported as soon as possible.

3. Make those responsible for checking on the compliance of these policies a group other than Information Security. (The information security group checking on the compliance of their policies is akin to the fox guarding the hen house. This points to a conflict of interest no matter how ethical the staff is.) The best areas to perform this checking would be internal audit, a compliance group, or someone responsible for privacy, or as a last resort, an external auditor.

Your job is to convince your institution’s management of the need to establish a culture of compliance. This, along with communicating the message of security to everyone in your institution, establishing accountability for all staff, and holding them to it, along with regular checking for compliance with the security policies, you’ll be on the right path to a culture of compliance.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.