Photo Credit: jlmcgowan via Compfight cc
I recently attended a round-table conversation where the topic of business ethics and values was brought up. The discussion moved quickly on to Corporate Social Responsibility, charity work and compliance standards that regulate these practices.
One guest was offering the example of businesses having to adhere to accreditation schemes in order to set up a CSR programme, and while this is something that large enterprises are used to, it can be something of a headache for small businesses. Does this mean that SMEs are not allowed to be environmentally responsible, look after their employees’ wellbeing, or get involved in charity events? Not at all. But it certainly makes the process more complicated. PR expert, Trevor Morris says: “Companies today must be seen to be doing good – not just good business”. So, as the meeting drew to an end, I was left pondering when did something so simple as “doing good” become less about the good and more about compliance?
The same argument can be applied to the information security practice. Companies today must step up their security efforts. Unfortunately what we see most often is that compliance remains the only driver for security. While this is something of a more common approach in large corporations, or for certain industries such as finance, security should not be limited to audits for compliance, but it should be a continuous effort from everyone. Much like a fundraising event in the office should be because the people involved care about a cause, not because they were forced to care.
Security is not only a matter of compliance. Much like you lock the doors of your office every evening, you should also lock sensitive data and regularly check if your network is prepared for a cyberattack.
Taking it a step further, beyond perception, any business should concern itself with the welfare of its employees, the community it operates in and the world at large. Not because there is a document to make it mandatory, but because businesses are not entities existing in a void. They are social operations run by people, for people. Security should not only be about ticking the boxes of compliance standards, but about securing the business, people and information you are responsible for.