Skip to main content
9.7.2021 Article

Information security begins with organisational culture

Breaches of information security can cause serious problems. Yet many organisations consider it a matter of individual heroics, not an essential part of organisational procedure.

It is not uncommon that information security is seen as something mysterious known only by the IT department, its exact meaning escaping the understanding of us ordinary people.

“Technical solutions can help, but when it comes to information security, it’s more about the overall approach – the everyday actions that ensure information security”, says Riku Nykänen, security manager at the technological design house Huld.

Technical solutions can help, but when it comes to information security, it’s more about the overall approach – the everyday actions that ensure information security.

Riku Nykänen, Huld

Whenever information security is discussed, the matter of confidentiality is often emphasised. However, accessibility and integrity are equally important. Information must be accessible as needed, and it must not in any way change due to a cyberattack or human error; at the very least, any changes must not go unnoticed.

Information leaks, ransomware or misinformed decisions are only some of the potential problems.

Ensuring continuity

Information security is essential for organisations in respect to their operational continuity. In the worst case a major information security issue may bring operations to a halt or even cause bankruptcy. Even small issues cause extra work and unnecessary costs.

The organisation’s information technology solutions have to be appropriate; however, the essential thing is to incorporate information security in the organisation’s culture – to bring it into everyday procedures and processes. Developing organisational culture is a long-term effort, and communications, in particular, is important.

“This year many people were subjected to the Microsoft tech support scams. They need information on why they are getting these calls and how they should react to them. In this way, people are given tools to do their work in a secure way.”

This kind of culture of security should reach the organisation’s stakeholders, too. Data owners carry the responsibility also when, for example, the processing of information is outsourced to other organisations.

Then the outsourcer has to ensure that its partner organisation processes the information in at least as securely as itself. The required level of information security is typically contractual, but determining the proper level is never simple. Furthermore, adequate resources should be reserved to monitor that the partner does as was agreed.

Standards as a tool

Standards can help with both developing the organisation’s own culture of information security and determining information security requirements for the partners.

Requiring an information security certificate from the service providers is an easy way to obligate them to commit to information security. When an independent auditor confirms that the service provider fulfils the requirements of a specific standard, their information security is guaranteed to reach the agreed level. When it comes to an organisation’s own operations, standards can be used both to measure the present status and as helpful tools in strengthening information security.

You can learn about standards by yourself or request a third party to evaluate your organisation’s situation and create a development programme.

Information security cannot be outsourced

It is essential that every organisation assign information security to someone with adequate authority and the resources to carry out their tasks.

“However, the person responsible for information security should not be the head of IT department so as not to make information security seem too technical. In my view, the head of IT should implement information security, but the requirements should be determined by someone else”, says Nykänen.

The person responsible for information security should report directly to top management because the managing director and board of directors carry the ultimate responsibility for implementing information security in the organisation.

This responsibility cannot be outsourced because the organisation must have an understanding of the present state and a vision of future trends. The organisation should have full control.

Top management should consider insufficient information security as a risk to business continuity. Risks cannot be completely avoided, but it is essential to manage them in a scale appropriate to operations. In the changing world, risks should be assessed regularly and responses to changes considered.

“After the Vastaamo patient data leak, processing of health information will probably be more strictly regulated. Organisations processing such information should already start preparing.”

Individual heroics?

In Finnish organisations, the level or information security varies from high to low. In between there are many organisations that haven’t provided enough resources to information safety.

“As one of our clients put it, ‘information security is based on individual heroics’. Instead of acts of individuals, information security should be based on operational culture and procedure.”

Indeed, top management should give thought to the organisation’s information security and any development needs – is it based on heroics or procedure?

Huld consultant on information security, Riku Nykänen has participated in the work of the group responsible for SFS information security management standards for close to ten years. In addition, he is involved in other standardization networks and has researched information security in the University of Jyväskylä. He has both practical and academic understanding of the matter.