How to implement mindful information security practices
Mindfulness is all about being aware, so why not incorporate that in your cybersecurity practices?
Mindfulness is a powerful tool with life coaches and meditation teachers, and it’s transforming lives. Could mindfulness be useful in a business setting for cybersecurity risk management?
Authors Randolph A. Kahn, owner of Kahn Consulting, and James Beckmann, counsel for Boy’s Town, consider that question in their American Bar Association article, Creating a Mindful Information Culture. In particular, they examine how a mindful information culture helps to mitigate risk by determining what’s essential.
Kahn and Beckmann point out what those responsible for mitigating the fallout from a cybersecurity event should consider unique for current conditions:
Customers are becoming more aware of “their” private information.
All bets are off if sensitive customer information falls into the wrong hands.
Length of record retention, as discovery for a lawsuit, may be inexplicably gone, precipitating a claim for spoliation.
SEE: Checklist: Security Risk Assessment (TechRepublic Premium)
Here are their suggestions for moving to a mindful information culture.
Select the correct project leader: Every major project or initiative requires someone with buy-in, what Kahn and Beckmann call a champion. “This person possesses a combination of institutional knowledge and political savvy to help make the journey more productive and less painful.” They add, “It is critical the person selected to build a mindful information culture has the right temperament and skill set.”
The skill set should include:
An ability to communicate clearly;
a balance of business and technology acumen; and
an understanding of the company’s organization.
Select qualified team members: Put simply, leaders lead, and team members do the work. “Without the right supporting team members to haul each segment of the organization forward, the initiative will likely experience hurdles,” explain Kahn and Beckmann. “For every information project, there must be business, IT, and legal executive involvement.”
Assess the situation honestly: It seems obvious, but besides knowing what needs fixing, it is also important to understand what is “good enough.” “When you have several issues that must be addressed, each issue must be evaluated based on risk to the organization,” write the authors, expounding that issues creating the highest risk and those that can be addressed quickly should be addressed first.
Build a plan: Just diving in never works well; plans are a good thing. The authors caution that the plan must be more than triaging emergencies. “The tyranny of the immediate cannot derail long-term goals,” state Kahn and Beckmann. “Your organization can implement tactical fixes at the same time that it fleshes out the strategic initiatives.”
SEE: Identity theft protection policy (TechRepublic Premium)
To help accomplish tactical and strategic goals, Kahn and Beckmann suggest asking the following questions:
What is your work force’s openness to change?
What is the work force’s technical sophistication?
What is the business’ topology– for example, centralized or autonomous business units?
How big is the problem, and who is required to fund and/or fix it?
If fixing requires new applications, is there expertise to vet the software?
The authors encourage being ambitious but realistic about what can get done given the company information culture, resource constraints, and other projects impacting employee availability.
Explaining and clarifying: Employees are change-adverse even if, ultimately, the change helps them. “People default to what is simple and what they know,” write Kahn and Beckmann. “Therefore, open dialogue is critical. It must be clear, consistent, and anchored to a ‘why’ that resonates with employees and makes their life better (not just simpler, but better).”
Making an employee’s life better is the key to eliminating the, “but this is how we have always done it” response and having employees become mindful stewards of the organization’s information, which in turn builds a culture of awareness.
Achieving a mindful information culture: For the mindful information culture to move past short-term enthusiasm, Kahn and Beckmann suggest that–just like muscle memory automating physical movements–implementing repeatable and logical processes and directives will also become automatic.
“A mature information culture is a state of being, like a never-ending marathon,” contend Kahn and Beckmann. “Culture is not a ‘sometimes thing,’ it is an ‘all the time thing.’ Building a mindful information culture can be achieved only by implementing a persistent, evolving cycle of assessing, planning, implementing, communicating, monitoring, resolving, and repeating.”
Put simply, cybercriminals never seem to rest and are always reinventing their attack methodology. That’s why Kahn and Beckmann conclude their article by encouraging the same from businesses: “Without that same dedication to diligence as a way of corporate life, a company’s information culture will stagnate, issues will appear, and those responsible will likely feel the pain that is exacted on the non-vigilant.”