The importance of organisational context is further underlined by the scrutiny that will follow a breach. It will not just be the individual who sent 25 million people’s financial records through the post who comes under scrutiny if they go missing, but the culture, governance arrangements, failure of safeguards and perhaps even the gaps in legislation that may have contributed to the breach.
I have recently been reading about Accident Theory, which seeks to understand the root causes of accidents, and I have been struck at the parallels between the management of occupational health safety and information security. One striking example is in the report
into the crash of British Nimrod surveillance aircraft XV230 over Afghanistan. The immediate cause of the crash is believed to have been a fire caused by fuel leaking onto a hot pipe, but a government-commissioned report highlights a number of organisational factors and criticises individuals.
In addition, the Nimrod report highlights parallels with other disasters, the loss of the US National Aeronautics and Space Administration (NASA) space shuttle Columbia in particular. The 12 contributing organisational factors highlighted as being common to these disasters should give us all pause for thought as they could well apply, albeit with less tragic consequences, to information security.
Common organisational causes of the losses:
- The ‘can do’ attitude and ‘perfect place’ culture (‘Rules schmules. Get it done’.)
- Torrent of changes and organisational turmoil
- Imposition of ‘business’ principles (in spheres where they do not belong)
- Cuts in resources and manpower
- Dangers of outsourcing to contractors
- Dilution of risk management processes
- Dysfunctional databases
- ‘PowerPoint engineering’ (oversimplification)
- Uncertainties as to out-of-service date (‘It will be fine for another year or two’.)
- ‘Normalisation of deviance’ (‘That error always happens; do not worry’.)
- ‘Success-engendered optimism’ (‘It worked out OK last time’.)
- ‘The few, the tired’ (i.e., the additional work burden/pressures on those left)
Read Peter English’s recent Journal article: