Font Size: A A A

Home > Reviews > Building a Corporate Culture of Security

Building a Corporate Culture of Security

Author John Sullivant

ISBN No 9780128020586

Review date 24/06/2019

No of pages 298

Publisher Butterworth-Heinemann (Elsevier)

Publisher URL

Year of publication 29/07/2016


Building a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency, by John Sullivant. Published 2016 by Butterworth-Heinemann (Elsevier), 298 pages, eBook ISBN : 9780128020586. Ebook price £26.34. Visit

Our Review


£ 26.34 (ebook)

The US author of a book on corporate security culture has some penetrating arguments that security and general corporate readers alike may find challenging. Such as, that a company’s security might well not be as good as executives think and say it is; and what that means for the person in charge of security.

John Sullivant, an American veteran, and indeed a Californian, covers cyber and risk management, and metrics, and assessment and threat estimate; things we are familiar with. Less familiar at least in the literature on security management is what you could call experience from the trenches; that the security head may be undermined by people speaking in his name; or that head not making best use of his time with the CEO, or doing damage, because he tells the chief what the head thinks he wants to know, or already knows, or whines a lot.

Early on Sullivant introduces the idea of ‘vulnerability creep-in’. According to Sullivant, ‘too many security managers have no clue they have a problem, and most do not want to know a problem exists’. They don’t draw on the mass of non-security employees, and they allow complacency. Such a ‘creep’ can take years to build, and is undetectable until some identifiable security problem occurs.

Any problem with all that?! As the author early points out, he is a consultant; he advises; he can serve clients ‘free from political pressure or influence’, but as readers may ruefully reflect, it can be ethically and practically tough, if you are a security manager in a hierarchy that is functioning badly, bullying, or even criminal. Another criticism could be that ‘vulnerability creep-in’, while striking and original, is also subjective. Sullivant likens it to cancer; but it’s not literally, because it afflicts an organisational body, not a physical body. The term ‘vulnerability creep-in’ runs the risk of being so vague that it applies to everything - strategy, planning, compliance, leadership, decision-making, company culture - and thus nothing in particular. While Sullivant talks of shortcomings - weak contract or other management, inexperience, lack of planning or vision, policy fads, indifference to those things - those guilty might argue back that they are doing their best; and maybe they are even correct? If senior execs are indifferent to security, in the name of making the next sale or hitting target, and they succeed, so what?! Especially if - to take ‘vulnerability creep-in’ at Sullivant’s word - the turnover of staff is faster than the ‘vulnerability’ turns into a problem - a hacking attack, a shooting or kidnap, theft (online or real world) or whatever. What matters to the professionals is that they get out with their CV intact!?And if a business is changing fast because of acquisitions, a security department can simply have more things to do than there are hours in the day.

The author, then, has come up with an intriguing idea in ‘vulnerability creep-in’, but would do well to consider how such security or general risk shortcomings compare with the falling-short of other departments (and Sullivant does point to the common ‘silo’ mentality of departments, reasonably enough, getting on with their own job and not talking with other departments). Put another way, can a security department be outstanding in a mediocre or even incompetent overall organisation? Or vice versa - can a good company (and how do we define that) do well with a poor security department? Or do businesses get the security departments they (and their customers) deserve?!

Sullivant talks for example of the challenge to educate the C-suite on ‘the fundamental mission, purpose and benefit a competent security organisation has to offer’; yet could that C-suite member argue that he has enough to do, thank you, and shouldn’t the C-suite trust security to just get on with their job (just as legal, compliance, and sales and so on are left to get on with theirs?). But in the chapter on ‘the cyber threat landscape’, for instance, Sullivant closes by claiming that the CEO must (among other things) recognise the emerging threats, including from insiders. Isn’t that what he has an IT (or security) department for?! In fairness, in more detail Sullivant says that the CEO ought to allocate resources to meet cyber threats - but does anyone, even a consultant, know what amount of resources is best, when cyber is changing so fast?! Yes, the author has a point when he speaks of security directors and managers ‘who lack the basic skill sets to influence, coach and teach decision makers and staff’; but doesn’t that come back to the organisation in general; it’s hired those people, and doesn’t give them training?!

Sullivant covers a lot of ground - one chapter on ‘preparing for emergencies’, which can take up whole books. The risk of kidnap, violence in the workplace, corporate espionage, terrorism; Sullivant sets out the bewildering and changing threats. Rather than offering chapters on training and assessment and other models, he would have helped readers by going into more detail on what it takes to get ideas and budgets past the board; by giving some anecdotes, even. As it is, a chapter late on does cover ‘how to communicate with executives and governing bodies’. Here he does offer plenty of wisdom, to get messages across to directors and CEOs - in ten minutes or less. This ought to have formed the basis of the book - and it would form the basis of a future good book - rather than the chapters on ‘deficiencies, weaknesses and inadequacies’ that the US had to confront on 9-11 and that we know about if we only open a newspaper (or a door in a warehouse or walk a perimeter for a mile?!). What Sullivant has to say - about people (such as Edward Snowden) being the weak link for example - makes perfect sense, but by including in his conclusion the line that ‘vulnerability creep-in’ ‘has to be cleaned up, swept away and never allowed to return’, the author runs the risk of appealing for perfectionism. The better question then is: are companies becoming too large and complicated to be secured well, or at all?