Does security culture trump strategy when it comes to facilitating excellence?
Today the latest report from the Security Research Initiative is published – ‘The importance of Security Culture in Facilitating Security Excellence’. The aim of the research was to explore the challenges to building a strong security culture in today’s world and assess how the security sector is responding. The research is based on the views of security professionals from both in-house and contract positions, as well as other security experts, collected via an online survey and in-depth interviews. There were a number of key findings.
Security culture is very important to a successful security operation
In terms of the factors that are important to a successful security operation culture sat side by side with other key aspects such as effective security leadership, clear security objectives, and an effective security strategy.
Culture is at least as important as strategy
Generally, there was a view that culture brings life to strategy and defines the extent to which strategy is executed. Indeed, three fifths of our survey respondents indicated security ‘culture’ is as important as security ‘strategy’; and a third indicated ‘culture’ is more important than ‘strategy’.
Security culture and organisational culture are linked
Views were mixed as to whether you can have a strong security culture without a strong broader organisational culture. But interviewees generally felt there was a relationship between the two and that a good organisational culture would enable a good security culture, while a bad organisational culture would create challenges for a good security culture.
Security professionals do not believe organisation workforces are sufficiently engaged in security
Engaging the wider workforce of an organisation with security is known to be an important part of a strong security culture. While two thirds of respondents felt that the wider workforce of an organisation tends to valuephysical security measures in their workplace, they were less inclined to view the workforce as strongly engaged with security: less than half thought employees see security as important to overall success and less still thought employees view contributing to security as part of their own job description. Overall less than a quarter of our survey respondents thought the wider workforce of an organisation commonly carry out behaviour indicative of a strong security culture.
The barriers to engagement need to be overcome
The reasons for a lack of engagement are varied. Barriers cited by participants included lack of senior level ‘buy-in’, lack of financial investment, a negative perception of security, lack of or ineffective communication on security issues, complacency, and apathy among the wider workforce of an organisation, competing priorities and workloads among the wider workforce, the quality of security staff and of security management. Somerecent trends may also be undermining a security mindset such as the increase in working from home which makes it harder to ensure people are engaged with security requirements, financial pressures may compromise the quality of security and priority given to developing security culture, and understaffing and turnover, both within security teams and across organisations also make it harder to keep staff engaged.
Communication of the value of security is key
The findings suggest much more focus is needed on engaging the workforce and that ultimately effective communication of the value of security is the key to overcoming the barriers. Different groups need to understand ‘what’s in it for them’ and therefore messages need to be tailored to senior leadership, to security teams, and to the wider workforce to demonstrate the benefits of security.
Professor Martin Gill who led the research noted:
‘Our research suggests that security professionals are unequivocal about the value of security culture in supporting security excellence. Good security culture is an essential ingredient but one that can be hard to obtain. The key, according to our participants, is to effectively articulate the value of security in ways that are meaningful to different audiences within an organisation. This means stepping beyond the notion that security is only there to deal with a crisis and demonstrating that security is an enabler of operations and moreover a contributor to the overall success of an organisation. If good security is about engaging the hearts and minds of stakeholders, not least staff and hierarchies, then our results suggest that the security sector is struggling. Worse still some recent societal trends are complicating the problem and increasing the difficulty of the challenge.’
The Security Research Initiative is sponsored by the security sector (buyers and suppliers) and involves an annual study. The reports are made available free of charge in order to provide a more informed information base about the workings of the security sector. (https://perpetuityresearch.com/security-research-initiative/). The initiative is supported by leading security associations – ADS, ASIS UK Chapter, BSIA, IFPO UK, IPSA, SyI and The SASIG.
Professor Martin Gill can be contacted on: m.gill@perpetuityresearch.com; and 0774 028 4286.
The report is available to download here.
The SRI members that sponsored this piece of research were: