Guidance for Decision Makers
4.1 Tone at the Top
Chapter 3 made a brief comparison between the accounting profession and the cyber security profession. One reason why this comparison is informative is because many of today’s information security controls were first established as standards by the Electronic Data Processing Auditor’s Association (EDPAA, now the Information Systems Audit and Control Association, ISACA) (Bayuk 2005). A key take away from that comparison is that the accounting profession’s mantra concerning the integrity of financial management applies across the board to cyber security management. That is: “the tone is set at the top” (COSO 2009). Management tone in any endeavor exists whether policy is formally established or not, and management tone is not the same as formal policy establishment. In the domain of cyber security, policy is a documented enterprise agreement on cyber security goals and objectives, and tone is the level of commitment that management has toward that documented policy and corresponding enforcement measures.
There is no single right way for a decision maker to make sure people are really understanding and following cyber security policy. But consciously or unconsciously, every good leader has a method of getting important messages across (Bayuk 2010). For example, one manager will make it a practice to always be at the same level of calm in order to get maximum value out of showing emotion with respect to an important issue. Another ...