nDiscovery-Logo-Header.png
Ë
By Becky Metivier • December 19, 2017

Creating a Cybersecurity Culture Part 1: Institutional Memory

In the current cyber threat environment, organisations must be vigilant. Vigilance begins with preparation. Being prepared starts with being aware. To be successful, you need to develop cybersecurity awareness throughout your entire organisation, which leads to institutional practices that support the secure execution of your business strategy. You need to create a culture of cybersecurity.

What is Cybersecurity Culture?

Cybersecurity Culture, also known as Continuity Culture©, is achieved when an organisation’s people, process, and technology are aligned with secure execution of the business strategy. People in every position understand that their functional role includes protection of information, customers, assets, other employees, and the organisation’s mission.

All workforce members understand the functions – and the risks – associated with the information systems they use. Processes are designed to create closed-loop accountability, as well as provide service to the active institutional memory contained in documentation of those processes. Leadership sets the tone and invests in the culture of “know.”

In short, it’s a culture that allows an organisation to continue its mission with only minor interruption despite almost constant attempts to disrupt it. And the foundation of a cybersecurity culture is institutional knowledge.

The Danger of Tribal Knowledge

Does this scenario sound familiar to you? You’ve been assigned a new task at the office. You locate the standard operating procedure, and try to follow it, but it doesn’t make any sense. You ask your co-worker for help. The response?  “Oh, don’t pay attention to the paperwork. You have to ask Dave how to do it. The paperwork doesn’t matter anymore, but he’ll know. He’s been here for 20 years.” 

This is what we refer to as tribal knowledge. It’s the information about operations that employees keep in their heads. It’s the real information behind a static written procedure or process that is no longer appropriate or applicable to the organisation. And it’s common in many organisations, especially small ones. Keeping policies and procedures up-to-date and spending time training employees can be perceived as low priority. These types of activity often get bumped to the bottom of the to-do list by higher-priority tasks. But not doing it puts your organisation at risk because that knowledge can walk out the door at any time.

The cost of tribal knowledge when it “walks out the door” is quantifiable and significant. It takes real dollars to train people, plus you can add real dollars in lost productivity, as well as risks associated with system disruption and reputation if a function is not executed accurately and/or safely. It takes a lot more time to update severely outdated documents compared to keeping them alive. And disruption can be significant – up to and including having to replace whole systems because you don’t have anyone in the institution that knows how to use a certain legacy system that is important to operations. We’ve seen this happen. An organisation lays-off a whole team – either by accident, poor planning, or intention – and no one existing in the organisation understands how to run the tool or even log into it.

Institutional Memory

Institutional knowledge is information that’s out of someone’s head and into a “living” document. Therefore, creating institutional memory is all about documentation – active organisational documentation, hardcopy and/or digital, including:

  • Policies;
  • Procedures;
  • Guidelines;
  • Asset inventories;
  • Change documentation;
  • Network infrastructure diagrams;
  • Data flow diagrams; and
  • Continuity of Operations Plans, such as Business Continuity Plan (BCP), Disaster Recovery (DR), Incident Response Plan (IRP), and Vendor Management.

Of course, this isn’t an exhaustive list, but you can put most anything in one of these buckets. What’s most important is that this takes active documentation, so it’s part of an ongoing process not a point-in-time engagement. You should never put these documents on a shelf and say, “well, I’m done with that.” You need to have a process to keep these documents ALIVE and MEANINGFUL.