Strategy and culture are amongst the primary levers at the disposal of leaders, writes Paul Wood, of Emerging Risks Global.
While a strategy provides direction and outlines a vision, it is the culture that expresses the goals of an organisation through its values and beliefs. Culture is an unspoken set of behaviours, mindsets and social patterns which reflects a shared unity among a group. As security leaders, we are positioned to influence existing cultures and to set change in motion that will influence and imprint the behaviours and assumptions that future generations of a workforce will consider the norm. It is crucial that we remain cognisant of the subtle changes within the multiple cultures which surround us in an organisation and that we adopt appropriate measures to deftly influence the process of change. While the subtlety and ambiguity which may be assumed when we consider the topic of culture can be daunting, it can be managed. The first thing we have to do is to become fully aware of how it works.
What is culture?
Culture reflects the social order of an organisation. It defines the actions that are encouraged, accepted, discouraged or rejected within a group of people. It is malleable and being flexible in its evolution according to changes in environments and the opportunities they offer. In the wealth of academic literature which has considered the concept of culture, four common themes can be identified.
Culture is shared, pervasive, enduring and implicit.
Cultural change must therefore be well planned and supported across all levels of an organisation, if it is to be effective. Any change must be designed and measured against aspirations to improve organisational performance. A phased approach to cultural change should therefore begin with the determination of the culture that presently exists within an organisation. After this, it is possible to define an aspirational target culture. Engaging across all levels of a workforce throughout, leaders must effectively articulate the culture aspiration, so as to encourage the development of change leaders and champions across all sectors of a workforce.
What is a security culture?
Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security. Developing and sustaining an effective security culture is an essential component of a protective security design and helps mitigate against a range of threats that could cause physical, reputational or financial damage to your organisation. Getting your security culture right will help to develop a security-conscious workforce and promote the desired security behaviours you want from staff.
An effective security culture can offer a range of benefits:
– A workforce that is more likely to be engaged with, and take responsibility for, security issues;
– Increased compliance with protective security measures;
– Reduced risk of insider incidents;
– Awareness of the most relevant security threats; and
– Employees are more likely to think and act in a security-conscious manner.
Organisations should strive to embed an effective security culture where security is a collective responsibility shared by everyone and where individuals display greater levels of security mindedness.
How can we influence change?
The vision of an aspiration culture provides high-level principles to guide organisational incentives, influenced and aligned to present business and environmental challenges and opportunities. The leadership of this change programme requires for strong and appropriate leaders to be selected and developed, who align with the target culture. Charismatic delivery of change messages can help to re-engage incumbent leaders who may be otherwise unsupportive of design change. Effective training and education can help to re-energise individuals and develop them into powerful champions of change. It is through informal conversations amongst partners, that shifts in the shared norms, beliefs and implicit understandings with an organisation take place. As teams and individuals begin to identify the changes within their leadership and in the tone of messaging, they begin to behave differently themselves, thereby creating a positive feedback loop. A variety of organisational conversations, informal and formal, ranging from lunchtime conversation, structured group discussions and roadshows can all support cultural change. Social media platforms and internal workplace chat rooms can also support this process. This widespread discussion can be cultivated and managed by change champions, who advocate for a cultural shift through their language and importantly through their actions.
It is crucial that the desired change is reinforced through organisational design, structure, systems and processes. This will help to instigate new cultural styles and behaviours, supporting the change throughout. Change delivery and practices can help to reinforce the delivery of the aspiration of culture and help to reinforce appropriate behaviours.
Relational security. A paradigm shift
When we consider organisational culture, we are typically considering cognitive culture; the shared intellectual values, norms and group assumptions. Cognitive culture defines appropriate behaviours and choices at work, which can influence attitudes towards factors such as the pace and timeliness of deliverables. While this is unquestionably important, a crucial factor in the development of security culture is our influence upon a group’s emotional culture. This considers our shared affective values, norms and assumptions that govern the emotions that people have and express at work and potentially the ones they can effectively suppress. Developments in the consideration of the ‘affective revolution’, would suggest the influence that positive emotions in a workplace can have upon organisational performance and in our view, organisational security. The display of compassion rather than callousness and indifference, joy and pride instead of anger and dissent, can encourage the development of positive cultures and influence behavioural choices which are made from a place of emotional and psychological safety, which supports individuals cognitive abilities to make better risk-based decisions.
Positive emotions can impact and influence how individuals perform tasks, how engaged and creative they are, how committed they are to an organisation and how they make decisions. By adopting a caring approach towards our teams and partners we are encouraging the development of effective workplace behaviours, performance and crucially encouraging individuals to care about the way they behave and the ramifications of the decisions they make on a day-to-day basis. This, in essence, lies at the core of an effective and positive security culture, a secure and resilient business and a happy and high performing workforce.
Developing an understanding of culture and the approaches we can adopt to elicit positive changes in our security culture provides the basis for our delivery of relational security. This approach to security is however different in that it does not rely upon the direct design and implementation of security solutions, delivered in the form and deployment of people, processes and technology, but rather it is dependent upon the effective adoption of proactive and positive behaviours on the part of every member of a team and organisation. It is about caring for and understanding people. It is this approach to security that clearly emphasises the fact that it is people who are an organisations threat, vulnerability and strength.
Relational security is the knowledge and understanding we have of each other and of our environment, and the translation of that information into appropriate behaviours and choices.
Relational security is not simply about having ‘a good relationship’ with each other. Safe and effective relationships between partners and adopting appropriate behavioural choices both in and outside of the workplace, aligned with organisational and national guidance, rules and regulations, is crucial to protecting people, assets and reputation.
What can you do?
Organisations should aim to develop an appropriate blend of physical, information, personnel, procedural and relational security, to best protect people, assets and reputation. The balance between these three dynamics often shifts, requiring for you to change your plans to meet the needs of a particular situation. However, it is essential that all three are in place at all times, and one should never substantially compensate for the absence or ineffectiveness of another.
