Information Security – Values, Change And Culture

Information Security

“Culture Eats Strategy For Breakfast.”

The quote from former US economist Peter F. Drucker is as radical as it is provocative. Because when Drucker said that, we felt like we were light years away from the digital world of our day. And yet the mastermind foresaw a world that needed new corporate governance. That means: Strategies and their success can only be achieved with a culture of value change in organizations.

If we transport the quote to our times, it is basically an affront to many top managers and strategy consultants inside and outside of companies. The former think they have everything under control in their organization. At the same time, executives are sticking to outdated forms of hierarchy and the sovereignty of interpretation in the company. The latter, i.e. strategy consultants, earn their daily bread by selling all kinds of potential for improvement, where companies can basically look for and find their goals and how they can get there in a structured way. Both sides fail to recognize that the world of digitization requires different approaches. Thus, the concept of strategy often degenerates into an arbitrary placeholder.

The business magazine “brand eins” put it this way as early as the beginning of the millennium: “Luck, plan, coincidence, common sense, analysis or play? Strategy is all that. Nothing more. But also no less. That’s what makes things so complicated sometimes.” Indeed. The strategy process is filled, loaded and fueled with lots of management and marketing phrases. Their half-life can change quickly depending on the situation in our technology-driven (business) world.

The most recent example: the CeBIT in Hanover, which has just ended. The top topic “d!conomy – no limits” was advertised there, with “limitless opportunities for digitization”. The associated press release by the CeBIT organizers spoke of the digital transformation of the economy and society and the first-hand experience for visitors. Speaking of up close. The limitless digitization campaign is currently going under said skin for many decision-makers. Up and down the country, propagated by some technology companies, politicians and lobby groups.

From The Digital Transformation Potpourri And The Potemkin Village

A few months ago it was still “Industry 4.0” that was being driven through every media village, now the agile world is coming to the fore and is on the agenda of many companies. Paired with artificial intelligence, artificial intelligence, Internet of Things or virtual reality, a digital transformation potpourri is created, at the end of which the user no longer knows what happened to him. The key question is: Who should steer everything in an orderly direction? The sobering answer is: in many cases, those who have to take responsibility for it in management circles do not. Digital core competence in the day-to-day work of a decision-maker is often rare, i.e. to be found. Conversely, this means that organizations need the necessary know-how in the area of ​​information security management (ISMS) in-house. A theme,

At this important interface, managers are called upon to initiate, accompany and monitor the process. No less, but no more. For everything else, you need an experienced ISMS manager. Because the well-known slogan of “a matter for the boss” is dangerous, especially for SMEs, as it quickly leads to a kind of vendor’s tray principle. With “well-founded half-knowledge”, the head of the company is in personal union managing director, controller, HR manager, marketing and communication specialist and also ISMS manager. When it comes to information security, this often ends in a Potemkin village. And at the latest in disaster when hacker attacks are successful, employee data is stolen or company-sensitive information ends up with the competition. There are enough examples. The consequences range from high financial losses to damage to reputation or, in the worst case, the demise of the company. A fact that companies and their executives should face up to, especially in a working world that is becoming increasingly networked and based on digital information.

A Corporate Culture For Everyone

What counts for top management applies to all employees. However, practice shows that this wishful thinking often lags behind reality, which brings us back to the basic problem and the start of the article. The success of information security can only be achieved with a culture of value change in organizations.

This is becoming all the more important in a digital, networked and highly complex world that requires employees to work and think in an interdisciplinary manner to a much greater extent. Own points of view, approaches, behavior and value structures should be turned upside down and questioned. Insular solutions and the often existing car castle mentalities in organizations must give way to joint action by all employees. In other words: a corporate culture for everyone which avoids a pure reference to technology and instead focuses on the employee as a “value”. Especially since information security always means more than IT security, i.e. firewall, virus scanner & Co.

Management is necessary for this complex topic, which must give a clear yes to a change process and set a clear course towards awareness and a lived corporate culture. Speaking of previous lives. It is not enough that regulations on information security are imposed in the company, but that top management does not play by its own rules. What’s more, rules and measures for stronger information security are taken ad absurdum if the management “forgets” the regulations in their own office when leaving the company.

A train ride or a visit to a trade fair is enough to find out a lot about the inner workings of a company, including business figures and other confidential information – made possible by the manager with a smartphone to his ear. A small example with a big impact that shows that information security is only as good as the people who live by it. And this requires prudent behavior with the knowledge of the company.

In plain language, this means that in order to turn information security risks into opportunities that become success stories for companies, everyone must pull together. What is needed are values ​​in the sense of a corporate culture that is not just on paper. This has to be internalized and exemplified. Then the culture eats the strategy – and not just for breakfast.

Also Read: The Digital Transition To Remain Competitive In The Digital Age

Leave a Reply

Your email address will not be published. Required fields are marked *