02172012There is an important article in today’s online edition of Forbes entitled “10 Security Essentials For CIOs” by Kristen Lovejoy, Vice President of IT Risk at IBM. While the article is directed at CIOs, its recommendations equally apply to, and and should be used by, outside lawyers, in-house counsel and human resources managers to ensure that the trade secrets within their organization are protected. It is an easy and quick read, but a powerful one.

I won’t repeat each of steps that Kristen outlines but I will emphasize the first:  “Build a Risk-Aware Culture.” She uses a compelling metaphor to reinforce her point:

“Think of the horror that many experience if they see a distracted parent on a cell phone while a child runs into the street. That same intolerance should exist, at a company level, when colleagues are careless about  security. Management needs to push this change relentlessly from the very top down, while also implementing tools to track progress.”

We are inundated by new technology and the growing, and at times seemingly overflowing, risks presented internally and externally by those that might compromise it. That technology, however, has little value if the individuals within the organization do not use it and do not consistently enforce its use by others. 

I could search Bartlett’s Quotations or Google for an effective quote about the importance of culture in an organization but I think we all innately know that as human beings, through the process of osmosis, we respond to and are directed by the actions and directives of the organization around us. The actions of senior management and other influencers invariably filter down to others who take notice, consciously or unconsciously, and incorporate that behavior into their own. There are few things more corrosive to an organization than a leader or manager who violates the rules or fails to apply them to his or her own conduct.

Conversely, there is no more effective teaching tool than the actual conduct of a diligent manager or leader. If decision-makers act responsibly, others will invariably follow. Reinforce those actions with formal procedures and education, and you build a culture step-by-step over time. 

It is no different with security. I had the privilege of speaking last May at the American Intellectual Property Association’s Spring Meeting with Malcolm Harkins, Intel’s Chief Information Security Officer. When Malcolm got up to speak, I expected his presentation to be heavily oriented to the technical protections that a sophisticated company like Intel was using or advocating to others. Instead, Malcolm’s primary message was the importance of building and reinforcing a culture of security at Intel.

Take a look at the news this week. Nortel’s trade secrets were stolen from senior management over the course of a decade by hackers. Lawyers are increasingly the targets of cyberattacks because they are perceived to be less careful than their clients in their infrastructure. Like it or not, it is now the world in which we live. Focusing on security and envisioning how to make it part of your organization’s culture is the first and most important step to protecting trade secrets and confidential information.