The importance of parents
Even if you're not a parent, you know that being a "parent" is no easy task. Following your child's growth, educating them about right and wrong, teaching them to respect differences, and facing life's challenges together are all part of the parenting journey. This journey may involve some disagreements along the way, but they are an integral part of the parenting process.
While there may be exceptions, most of the time, children reflect their parents. What does this mean? It means that if they observe negative behaviors and attitudes in their role models, such as arguments or disrespect, they will likely reproduce them at some point.
For your child to grow into a good person, they must witness positive things. For example, they should experience a harmonious environment where respect and honesty prevail, and conflicts are resolved through conversation rather than shouting or insults.
Involvement of Top Management
Having revisited the importance of parents' attitudes towards their children, let's now draw an analogy with the corporate world, specifically looking at information security.
For any organization seeking to develop, implement, and maintain an Information Security Management System (ISMS), it must be aware that to protect its information in various formats—physically (printed or written material on paper), electronically (in digital format), as well as orally transmitted—it needs to adopt various controls that encompass personal, process, and technological aspects.
Maintaining an ISMS becomes incredibly challenging when the top management of the organization does not support or contribute to it. This is where the analogy makes sense—that the executive body of the company must act as good parents.
It's no coincidence that the standard (ABNT NBR ISO/IEC 27001, 2022), as we've discussed before, dedicates its requirement 5.1 Leadership and Commitment to describe the responsibilities that top management must have regarding the ISMS.
Therefore, if the top management ("parents") of the company expects its employees ("children") to respect the defined policies, processes, and procedures to protect information throughout its lifecycle, it cannot contradict these expectations at any point. Otherwise, their poor example might be replicated, leading to the question:
Why should we follow if they don't even follow it themselves?
If I, as a representative of top management, contribute to creating the guidelines of the security policy that, for instance, stipulates that internet usage should go through a proxy for content control, it wouldn't be correct for me to demand that my machine be the only one with unrestricted access without using the proxy.
In summary, if I (management) want to educate my children well (employees), I need to demonstrate that all applied controls are also directed and followed by me.
Source: ISO/IEC 27001:2022