Culture and Stakeholder Management
Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Culture and Stakeholder Management at each level of maturity.
- 2Basic
- Practice
- Begin to raise awareness of how information security activities contribute to the organization's strategic objectives, and begin to offer incentives/rewards for achievement of those objectives.
- Outcome
- There is emerging visibility of how information security activities are linked to the achievement of strategic objectives.
- Metrics
- % of IT employees with awareness of how information security contributes to strategic objectives.
- % of business unit employees with awareness of how information security contributes to strategic objectives.
- % of IT employees receiving incentives/rewards.
- % of business unit employees receiving incentives/rewards.
- Practice
- Begin to provide and make visible senior management support for a number of key information security activities.
- Outcome
- Stakeholder buy-in and ownership of information security activities are emerging as a result of visible managerial sponsorship.
- Metrics
- % of senior IT management who sponsor information security initiatives.
- % of senior business unit management who sponsor information security initiatives.
- % of information security initiatives with adequate sponsorship.
- Practice
- Establish a basic approach for communicating the most significant information security topics to stakeholders.
- Outcome
- Employees begin to understand key issues pertaining to information security and can discuss their potential impacts.
- Metrics
- Frequency of information security communications.
- % of employees receiving communications.
- 3Intermediate
- Practice
- Promote a common understanding of how information security activities contribute to the achievement of strategic objectives, and incentivize appropriate behaviours — e.g. encourage adherence to clean desk policies, locking of secure locations, use of screen locks on PCs, and regularly changing and not sharing passwords.
- Outcomes
- Awareness of the importance of information security and acceptable behaviours grow among individual employees.
- Most employees understand how their behaviours and day-to-day activities can enhance or invalidate security efforts.
- Many employees are better motivated to support the realization of objectives.
- Metrics
- % of IT employees with awareness of how information security contributes to strategic objectives.
- % of business unit employees with awareness of how information security contributes to strategic objectives.
- % of IT employees receiving incentives/rewards.
- % of business unit employees receiving incentives/rewards.
- Practice
- Provide senior management sponsorship for most information security activities, and report to the board on progress.
- Outcomes
- Fundamental sponsorship requirements for information security are in place.
- Many employees demonstrate strong buy-in, ownership, and commitment to information security activities, and are motivated to contribute to them.
- Metrics
- % of senior IT management who sponsor information security initiatives.
- % of senior business unit management who sponsor information security initiatives.
- % of information security initiatives with adequate sponsorship.
- Practice
- Standardize the approach that is used for regularly and consistently communicating key information security topics to most stakeholders, and tailor the communications to their needs and interests.
- Outcome
- Visibility and awareness of information security issues and their impacts are improved.
- Metrics
- Frequency of information security communications.
- % of employees receiving communications.
- 4Advanced
- Practice
- Incentivize all relevant employees across the organization to robustly maintain security levels and effectively handle calls, emails, and other communications seeking to solicit security sensitive information.
- Outcomes
- Employee behaviours reflect a strong information security aware culture.
- Employees across the organization are fully aware of the importance of information security and are strongly committed to working together to ensure security measures are effective.
- Metrics
- % of IT employees with awareness of how information security contributes to strategic objectives.
- % of business unit employees with awareness of how information security contributes to strategic objectives.
- % of IT employees receiving incentives/rewards.
- % of business unit employees receiving incentives/rewards.
- Practices
- Provide senior management sponsorship for all information security activities.
- Ensure senior management has an approved dedicated security budget and resources, and advocate for inclusion of security matters in annual reports.
- Outcomes
- Employees across the organization demonstrate strong buy-in, ownership, and commitment to information security activities.
- The activities are universally recognized as underpinning the success of broader organization-wide activities.
- Metrics
- Existence of dedicated security budget and resources.
- % of senior IT management who sponsor information security initiatives.
- % of senior business unit management who sponsor information security initiatives.
- % of information security initiatives with adequate sponsorship.
- % of information security actions included in annual reports.
- Practice
- Proactively communicate information security topics in a tailored manner to all relevant stakeholders across the organization.
- Outcomes
- Communication is in the context and language of the stakeholder.
- Broader visibility, awareness, and credibility of information security issues are fostered, generating higher levels of interest for engaging in future activities.
- Metrics
- Frequency of information security communications.
- % of employees receiving communications.
- 5Optimized
- Practice
- Incentivize all relevant employees to continually keep abreast of evolving security threats and other relevant trends in the security landscape.
- Outcomes
- Information security activities are regarded as being part of everyone's job.
- Employees are enabled to continually detect security anomalies, and quickly and safely raise alarms or invoke appropriate security responses.
- Metrics
- % of IT employees with awareness of how information security contributes to strategic objectives.
- % of business unit employees with awareness of how information security contributes to strategic objectives.
- % of IT employees receiving incentives/rewards.
- % of business unit employees receiving incentives/rewards.
- Practices
- Encourage formal sponsors to continually review the information security initiatives for further improvement opportunities and report their status to the board.
- Always include information security actions in the annual reports.
- Outcome
- Senior management, board members, and employees are fully committed to optimizing information security activities.
- Metrics
- Frequency of review cycle.
- % of information security actions included in annual reports.
- Practice
- Extend communication of information security topics to the wider business ecosystem where relevant, and review the communication approach for improvement opportunities.
- Outcome
- The communications can be framed with discrete audiences in mind, down to the level of key individuals where appropriate.
- Metrics
- Frequency of information security communications.
- % of employees receiving communications.
- % of business ecosystem partners receiving communications.