Information Security

by Andy Taylor

Get buy-in from staff at all levels

If information security is going to become the norm in any organisation, it must have an appropriate and significant level of buy-in from all the staff. Security does not just happen – it has to be made to happen.

How do I convince senior managers it is necessary?

Top down is the only effective way to ensure that effective information security measures are installed and used. The senior management must be the first to emphasise the importance of security; they must not only ‘talk the talk’, but also ‘walk the walk’. In other words, they must do it for real and be seen by the staff doing what they expect the staff to do.

Convincing senior managers that security is a benefit, not a net cost, is the best way of gaining serious and well-motivated support. The best starting point is probably to explain the consequences of not doing it properly: as with health and safety measures, these same senior managers should recognise that they could end up in prison for getting it wrong. Some parts of the Data Protection Act in the UK (which covers the security of personal information) are criminal law which, if the Act is broken, may result in criminal penalties, including prison sentences. This can have the effect of concentrating the thoughts of senior managers.

There are, of course, other consequences which reinforce the argument: loss of income (as happened in New York), long-term disruption to communications (as happened at Buncefield and in a fire in a communications tunnel) and many other consequences specific to organisations, their locations and the nature of the work they undertake.

The induction course

Once the senior managers are on board, it is then fairly straightforward to get involvement from the rest of the staff. It is critical that the process of gaining staff acceptance of the importance of security should start early – as soon as staff are recruited. An induction course is a common way to start the process.


The induction course should be augmented with refreshers as time passes. The world of risk and security is changing rapidly and no one can afford to rest on their laurels and assume that they are still up to date if they were trained five years earlier.

For more about training, see What about training?

Do all staff need to know about it?

The simple answer here is absolutely! Even if individual members of staff have no direct role in implementing BCPs, all the other aspects of the measures taken in the information security arena must be freely and widely available to all staff. Naturally there will be areas of the protection, in particular, where it will be best to limit the details to those with a real need to know, but in general everyone should be aware of the issues and the measures taken to protect the organisation.

One of the biggest issues, notably with computer systems, is that of ‘finger trouble’ or, more generically, user error. Measures can be put in place to limit the effects, but it is rarely possible to eliminate mistakes entirely. Ensuring that all staff are aware of the major issues and steps taken to address them can help to reduce finger trouble.

There are a number of ways of keeping staff involved:

  • A ‘topic of the month’ can be beneficial in raising awareness of a security issue that is particularly important or prevalent
  • A monthly quiz on security
  • Security issues could be a standing item for staff meetings
  • As a matter of principle, the senior managers’ board meeting should always have information security as a standing topic.