Sage Advice - Cybersecurity Blog

Creating a Cybersecurity Culture Part 1: Institutional Memory

cybersecurity-culture-institutional-memory.jpgIn the current cyber threat environment, organizations must be vigilant. Vigilance begins with preparation. Being prepared starts with being aware. To be successful, you need to develop cybersecurity awareness throughout your entire organization, which leads to institutional practices that support the secure execution of your business strategy. You need to create a culture of cybersecurity.

What is Cybersecurity Culture?

Cybersecurity Culture, also known as Continuity Culture©, is achieved when an organization’s people, process, and technology are aligned with secure execution of the business strategy. People in every position understand that their functional role includes protection of information, customers, assets, other employees, and the organization’s mission.

All workforce members understand the functions – and the risks – associated with the information systems they use. Processes are designed to create closed-loop accountability, as well as provide service to the active institutional memory contained in documentation of those processes. Leadership sets the tone and invests in the culture of “know.”

In short, it’s a culture that allows an organization to continue its mission with only minor interruption despite almost constant attempts to disrupt it. And the foundation of a cybersecurity culture is institutional knowledge.

The Danger of Tribal Knowledge

Does this scenario sound familiar to you? You’ve been assigned a new task at the office. You locate the standard operating procedure, and try to follow it, but it doesn’t make any sense. You ask your co-worker for help. The response?  “Oh, don’t pay attention to the paperwork. You have to ask Dave how to do it. The paperwork doesn’t matter anymore, but he’ll know. He’s been here for 20 years.” 

This is what we refer to as tribal knowledge. It’s the information about operations that employees keep in their heads. It’s the real information behind a static written procedure or process that is no longer appropriate or applicable to the organization. And it’s common in many organizations, especially small ones. Keeping policies and procedures up-to-date and spending time training employees can be perceived as low priority. These types of activity often get bumped to the bottom of the to-do list by higher-priority tasks. But not doing it puts your organization at risk because that knowledge can walk out the door at any time.

The cost of tribal knowledge when it “walks out the door” is quantifiable and significant. It takes real dollars to train people, plus you can add real dollars in lost productivity, as well as risks associated with system disruption and reputation if a function is not executed accurately and/or safely. It takes a lot more time to update severely outdated documents compared to keeping them alive. And disruption can be significant – up to and including having to replace whole systems because you don’t have anyone in the institution that knows how to use a certain legacy system that is important to operations. We’ve seen this happen. An organization lays-off a whole team – either by accident, poor planning, or intention – and no one existing in the organization understands how to run the tool or even log into it.

Institutional Memory

Institutional knowledge is information that’s out of someone’s head and into a “living” document. Therefore, creating institutional memory is all about documentation – active organizational documentation, hardcopy and/or digital, including:

  • Policies;
  • Procedures;
  • Guidelines;
  • Asset inventories;
  • Change documentation;
  • Network infrastructure diagrams;
  • Data flow diagrams; and
  • Continuity of Operations Plans, such as Business Continuity Plan (BCP), Disaster Recovery (DR), Incident Response Plan (IRP), and Vendor Management.

Of course, this isn’t an exhaustive list, but you can put most anything in one of these buckets. What’s most important is that this takes active documentation, so it’s part of an ongoing process not a point-in-time engagement. You should never put these documents on a shelf and say, “well, I’m done with that.” You need to have a process to keep these documents ALIVE and MEANINGFUL. 

While building institutional memory is the foundation of a cybersecurity culture, it’s only one piece. People, process, and technology all have a major part to play, and in future posts, we look into each on in-depth.


Connecting You to Cybersecurity Expertise

The world of cybersecurity is ever-changing and cyber-attacks continue to expand in scale and scope. It’s nearly impossible to single-handedly keep up with the evolving threat environment and cybersecurity best practices, especially when many information technology teams are juggling with competing priorities with limited resources. Sage’s Cybersecurity Partnership Program provides oversight, guidance, and counsel toward meeting compliance objectives and improving the security posture throughout the organization.

  Learn More

Topics: Security Policy, Cybersecurity Culture