Firewalls protect us. In buildings, it is a wall intended to shield and confine a fire to an area to protect the rest of the building. In a vehicle, it is a metal shield protecting passengers from heat and potential fire in the engine. In network security, it is the logical ingress and egress points securing a network.
Within organizations, there is another firewall that is the most essential, but the most overlooked. That is the ‘Human Firewall.’ I have been an analyst for twenty-two years. Back twenty years ago I remember PentaSafe, later purchased by NetIQ, marketing and using the term Human Firewall to promote policy management in an IT security context. We need to bring the concept of the Human Firewall back and broaden it out too much more than IT security.
The weakest area of any governance, risk management, and compliance (GRC) strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. In the technical world we can lock things down and the world operates in binary. In the world of human interaction it is not binary but shades of grey. Nurturing corporate culture and behavior is absolutely critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.
A decade ago, I was involved with The Institute of Risk Management in London in developing Risk Culture: Resources for Practitioners. In this guidance, there is the A-B-C model. The ‘A’ttitudes of individuals shapes the ‘B’ehavior of these individual and the organization overall which in turn forms the ‘C’ulture of the organization. And that culture, in turn, has a symbiotic effect further influencing attitudes and behavior. Culture is one of the organization’s greatest assets. It can spiral out of control and become corrupt quickly but can take years, or even decades, to nurture and build in the right direction. The ‘Human Firewall’ is the greatest bastion/guardian of the integrity of the organization and its culture. In today’s focus of ESG – environmental, social, governance – it is in the Human Firewall this becomes a reality in the behavior and culture of the organization.
Every organization needs a Human Firewall. So what is a Human Firewall? What is it composed of? The following are essential elements:
- Policy Management. Policies govern the organization, address risk and uncertainty, and provide the boundaries of conduct for the organization to act with integrity. The organization needs well-written policies that are easy to understand and apply to the context that they govern. They should be in a consistent writing style, maintained and monitored. It is absolutely essential that policies be well-designed, well-written, consistent, maintained, and monitored as they provide the foundation for the Human Firewall.
- Policy Engagement. Well-written and maintained policies are not enough, they also need to be communicated and engaged with the workforce. It does the organization no good, and can actually be a legal liability, to have policies that establish conduct that is not communicated and engaged to the workforce. All policies should be in a common corporate policy portal so they can be easily accessed and should have a regular communication and engagement plan.
- Training. The next part of the Human Firewall is training. Individuals need training on policies and procedures on what proper and improper conduct are in the organization’s processes, transactions, and interactions. Training applies policies to real-world context and aids understanding which strengthens the Human Firewall.
- Issue Reporting. Things will go wrong. Bad decisions will be made, inadvertent mistakes will happen, and the malicious insider will do something wrong. Part of the Human Firewall is providing mechanisms such as hotlines, whistle-blower systems, management reports, and other mechanisms of issue reporting for the employees in the front-office and back-office can report where things are breaking down or going wrong before they become big issues for the organization.
- Extended Enterprise. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is an extended web of relationships: suppliers, vendors, outsourcers, service providers, consultants, temporary workers, contractors, and more. You walk down the halls of an organization and half the people you walk by, the insiders, are no longer employees. They are third-parties. The Human Firewall also has to extend across these individuals that are a core part of the organization’s processes. Policies, training, and issue reporting should encompass the web of third-party relationships that shape and form today’s organization.
Where are you at in building, maintaining, and nurturing your organization’s Human Firewall?
One resource to help is GRC 20/20’s work in partnership with OCEG on www.PolicyManagementPro.com to promote good policy management practices and certification within organizations.
Other resources to help include GRC 20/20’s research and publications on: