Security Culture
What is a Security Culture?
The first step in recognizing the security risks of an organization is determining their security culture. The security culture is a set of practices utilized within an organization designed to minimize risk. Security awareness is a critical component of a well established security culture, yet is often the part of a security program that is underutilized.
Having a security culture already in place prevents managers and staff the nuisance of having to determine the risks during an incident, and can reduce or eliminate panic during a critical incident.
Security Culture vs. Protocol
The differentiation of culture verses protocol is that culture has been ingrained in our subconscious minds and therefore they become instinctive. Often times we can react to any given situation with minimal effort and last minute decision making if the culture has truly been established in advance.
Protocol on the other hand is the “official” response or procedure (policy) governing any given security incident. In other words, your protocol in the event of a security breach may be to contact the police or security. Yet your security awareness culture may result in you taking additional steps of reducing your risks prior to, during, or immediately after that call is made.
For example, let’s say your protocol is to make that call, however your instincts at the time are also telling you to lock your doors, write down a license plate number, or a number of other things. These extra steps are normally the result of a security culture that developed as a direct result to an effective security awareness program.
Another way of looking at culture is your awareness drives your instincts to react without thinking about it, and as a result you spend less time and energy thinking about what should I do, and as we know every second counts in an emergency situation. The consequences of not having a well established security culture can be that you are not truly aware about how much danger you’re in until it is too late.
Ineffective Security Culture
To try and drive home the point on this subject let’s look at a real example of an organization that found itself in a crisis mode during a serious security threat, and although they had a security program in place by all accounts it was ineffective when it was needed most.
The organization was a healthcare setting in the middle part of the United States and they had approximately 3,500 employees. A serious threat against senior leadership in the organization came to light yet it took days, not minutes, to get this information to the administrators, including the security director.
Looking at this incident after the fact it became clear that the security culture was non-existent. In fact, when asking the staff that first became aware of the threat why they did not report it immediately, they responded that they did not think it was serious. Really?
Further investigation found that the Security department did not know about many other crimes or threats because staff felt that they were ineffective in providing security, or that there was nothing that security could do so why bother calling them.
The organization had a security culture, just not the type that they wanted. So how do you change that? In simple terms the organization had to change the perception of security and in doing so had to work on making all organization staff part of the security program. It took about two years but eventually the culture became a best practice and security was the first place that employees would go to on anything they felt unsure or unsafe about.
Security Awareness
It was not that long ago that the discussions about security awareness, or a security culture, were not seen as relevant to the vast majority of organizations. However, following the September 11, 2001 attacks on New York City and Washington D.C. that changed for a time, yet today we often find that we get blank stares when we ask employees or managers of businesses to explain their security culture.
The foundation of an effective security culture is security awareness. An organization has to provide security awareness training to all new staff, and then offer them annul refresher training after that. If you expect the employees to know what is acceptable or what to do in the event of a security incident, and you have not trained them, your organization will likely fail.
The training needs to encompass topics such as risk management; security of physical assets; building access; reporting of incidents; security policies; crime prevention; and numerous other topics, and the goal and intent of Security Awareness training must be to realize a long term transformation of the attitudes of staff with regards to the organization’s security.
The benefit of an effective security culture can include the following:
- Employees are more likely to report suspicions/behaviors/activities that concern them
- Employees that are more engaged
- Employees take responsibility for security issues
- Employees within an effective security culture tend to act in more security conscious ways
- Risks faces by an organization can be reduced
- Increased employee satisfaction and commitment to the organization
- Improved reporting mechanisms
- Improved organizational performance
- Protective security measures increase
Improved Communications and Processes
An effective security awareness program, as part of an overall security culture, requires ongoing management of the program and continued communications up and down the corporate ladder. An organization’s security program will be enhanced if the culture is managed ongoing and provided that your communication system has a robust system in place that allows for, and encourages, feedback to management and staff.
A well defined and managed security culture program can result in improved communication, employee satisfaction, morale, and team work. It can also result in your employees feeling empowered, and should inspire them to be committed to the organization.
Communications is a key element in a security awareness program and therefore your security culture.
Challenges to Security Culture Change
The challenge in developing and instituting a security culture is insuring that staff is aware of the risks, as well as the likelihood of those risks becoming reality, and to insure that staff always responds in a reasonable and confident fashion to any threat or security incident.
Another challenge is changing deep rooted beliefs within an organization to a philosophy that is more security conscious and aware. Often times the biggest challenge will be to change the perceptions, and therefore the attitudes, of long-term employees or management.
Conclusion
By adopting a security culture, we can reduce or neutralize security risks against our organization.
An effective security program is one that encourages staff to be well-trained as well as competent in all aspects of their role within the security culture and program.
Management must buy into the culture change 100% and lead by example, or the changes may never take root. For example, if a member of management circumvents any part of the new security culture or awareness program, staff will notice it and may follow suit.
The development of security policies, protocols, and training are not the only things an organization must do to create their security culture. Since our world is constantly changing, as is the types and numbers of threats against us as individuals as well as organizations, we must insure that our security programs adjust as needed based on current risks and threats.
The vast majority of security lapses and actual incidents are often a direct result of the human error factor. Implementing a well thought out security awareness program as part of your security culture must include training for all staff, including management, regardless of their level within the organization.