Tackling cultural deficits within the workspace is a long standing challenge for any business leader and their team. For a long time those responsible for managing risk within an organisation, including information security, have realised that the greatest vulnerability and threat within the risk equation are people.
Statistically the greatest vulnerabilities come from people who act with no malicious intention. Remove these through effective training and you significantly reduce your exposure to risk. Then there are those who although they’ve received all of the training on information security policies and procedures decide to circumvent the system. Not for any personal gain, but just to “expediate” a process. Again motivate these people to understand the reasons for policies and procedures and what’s in it for them and again you can significantly reduce your exposure to risk. Both require a shift in the culture of the business and more specifically individual employees.
However both profiles of employees have different motivations. One is rewarded for their compliance. Rewarding this strengthens their attitude. The other is motivated to be more compliant. Providing some material gain, in the case of BP a bonus.
Management Today reports that BP, in an effort to drive cultural change and no doubt take a step to re-build their brand reputation, have based their bonuses for the next quarter, across the whole of their business, on compliance with safety. Very commendable. What can the information security community learn from this innovative step? If bonuses can be offered for environmental risk management can this be applied to information security?