It’s security. It’s culture. It’s the vibe, and uh, that’s it, it’s the vibe!
‘We have such a great culture at our office.’ are words which could mean so many different things to different people.
When “culture” takes on different meanings to different people, cultural change becomes highly prone to failure.
If nobody bothers to define what this apparently mystical thing is that we refer to as “culture”, how can we expect to begin to change it?
The reality is, security culture (any type of “culture” for that matter) is not some ethereal concept, it is measurable, enforceable, and it is malleable. Security culture is both the desirable and undesirable security behaviours of people.
Basic security culture change is about transitioning an organisation from a purely forced compliance environment where people are not required or encouraged to think about security (think air-lock doors and forced password resets) to behavioural compliance (people choosing to follow rules when required).
Negative behaviours can make organisations vulnerable to security threats, creating security risk, and those behaviours must stop if the organisation is to be protected.
Behaviour may be influenced with policies such as:
- ‘Don’t write your password on a sticky note next to your keyboard.’
- ‘Don’t chock the back door open when you go on your lunch break.’
These simple instructions are an attempt to shape a positive security culture through behavioural compliance. They promote measurable, enforceable and malleable behaviours through instruction.
Is a compliance-based approach enough to effect positive security culture change? Based on my experience, I would suggest this approach is failing in most organisations.
Some reasons for the failure of the compliance-based approach include:
- Limited or no connection is made between the requirement and the associated benefit to the organisation and its personnel (the why).
- Limited or no mechanisms exist to deter, detect and report on non-compliance incidents and trends.
- Limited or no mechanisms exist to respond to detected incidents and reported patterns of non-compliance.
- Limited or no consequences exist for non-compliance offenders.
If a compliance-based approach to security culture is generally failing, should we move away from it?
Arguably not, because we cannot expect people to do (or not do) something we haven’t communicated the expectation for.
My experience shows that a compliance-based approach is never enough to induce positive behaviours in all people, all of the time.
A compliance-based security culture tells people what to do and not do.
A security leadership culture engages with people on why security matters to them personally, and to the organisation, and then continuously models what to do, when, where and how to do it, so that good behaviour begins to permeate the organisation both vertically and laterally. It also empowers people to pro-actively challenge bad behaviour without reprisal and enables them to exercise greater agency in decision making.
‘That sounds amazing, how do we achieve this?’ I hear you ask.
Firstly, context is key; imagine working in a benign office environment, and employee Joe “jumps down your throat” every time you move two feet away from your unlocked computer terminal – that’s a ticking timebomb in terms of workplace culture. The fact is, not every workplace needs to be a high security environment; it all depends on the risk context.
This is where security risk assessment comes in, to establish the context, understand the criticality of the assets you’re working with, and assess the level threat posed to your organisation, so that an appropriately risk-based security culture strategy can be developed.
To move an organisation towards good security behaviour, following the security risk assessment, a clear strategy including intended outcomes, workstreams and milestones should be developed. Be sure to identify potential hurdles before they arise, and plan effective mitigation strategies.
Perhaps the most critical elements of your security culture strategy are leadership and education.
Who is going to champion the proposed changes, and how will the messages be reinforced?
Everett Rogers’ theory of Diffusion of Innovations is one useful tool that can be adapted for understanding and planning how to effect change across large organisations.
All too often, organisations spend tens of thousands of dollars having strategies developed, only to fail to have identified and defined the root causes of their problems, and consequently fail to implement the desired changes, especially when nobody takes change leadership responsibility and enlists the help of other organisational influencers.
To effect and maintain positive change requires genuine commitment, substantial effort and material resources.
Culture is not an immaterial concept; it is the tangible, measurable, enforceable and malleable behaviours of real people.
Security culture exists in different forms according to the maturity and context of the organisation, including forced compliance, behavioural compliance and security leadership culture.
Security culture change is never easy or simple, but it can be made easier and simpler by gaining a sound appreciation of the organisational security context, conducting sound planning, and engaging change leadership support from across the organisation at all levels.
R2S Consulting has effected large scale cultural change projects for organisations as diverse as major banks, law enforcement agencies and major federal government departments. We would welcome your enquiry if you have a need in this space.