Firstly, thanks to everyone who has contributed to the blog so far – some really interesting and thought provoking stuff – keep ‘em coming!
Following my recent video message I thought I’d say a bit about the importance of a strong incident reporting culture – the need for everyone in an organisation to get why it is so important to log security incidents, no matter how small or seemingly trivial.
In the security world, a good reporting culture doesn’t get much airtime against big topics like cyber security. But I think it’s really important. In HMRC we have an excellent reporting culture, partly because of a particular incident a while back. If you work in an organisation like HMRC, you can just sense how valuable and sensitive customer information is, and the need to protect it runs deep. And on the front page of our intranet is an easy link to report any security incidents, from a lost pass or unlocked drawer to more serious breaches.
Only by collecting that information can we really understand what is going on in the organisation. My team do a brilliant job triaging to ensure we can get right onto incidents and deal with them quickly. But they also do lots of analysis to spot trends and opportunities for improvement. That’s resulted in a year on year reduction of incidents and improved the service we give customers.
We’ve done a few things to help keep that culture going: make it as easy as possible for people to report; don’t target reductions in the number of incidents because that can drive under-reporting; reward self-reporting (within reason) and try to show how important the reports are to reducing incidents and improving customer service.
Add your comments below on the ways you drive your reporting culture – I’ll be really interested to know how you drive this important element of security.
1 comment
Comment by Rick Wakeman posted on
Under reporting of negative events is the bane of most organisations. It is especially difficult to overcome where an atmosphere of blame exists, let alone 'performance'. No mamangement can hope to 'reduce' incidents when the baseline is unknown. Management policy has to make it clear an accurate awareness of the given situation is paramount. Burying bad news only ensures a 'Carrie' moment.