Saturday, 23rd January 2021

A security culture can only be created if a workforce/team understands what the expectations are and are given the correct tools and environment to deliver on those expectations.

A workforce can, and should play a proactive part in organisational security efforts. However, many organisations fail to provide the tools or recognise the important ‘multiplying’ effect that can be achieved in protecting an organisation through the establishment of a robust security culture.

Unfortunately, you can’t go online and buy, then embed a security culture. It must be created from within and requires time, effort, energy, and resources to maximise the benefits. When embedded it provides a proactive, cost effective security layer that increases the organisational protective robustness and resilience.

Before an organisation starts to consider changing or creating a security culture, they have to understand what they expect a ‘Security Culture’ to be. A ‘good’ security culture exists when: “The workforce has a collective and collaborative approach to protecting an organisation, its people, and other assets. Based on shared beliefs, attitudes, and values which ultimately shape employee perceptions, understanding and behaviours.” 

It is only by looking at all aspects of the definition above can a truly effective security culture be created. Addressing individual elements (e.g., Behaviours) will generate results but it will be superficial in nature and lack the depth that is required to be truly effective.

It is important to understand the organisation where you are seeking to embed a security culture; what is its purpose, what are its assets, what threats exist and what are the risks from those threats? All these help establish the context of what exists, what gaps there are, and how much work is needed to effect ‘change’.

Reviewing, and ensuring that the policies, practices, and procedures are appropriate and supportive of security efforts. Discussing with internal and external stakeholders about their perception of the organisational approach to security risk management supports the contextualisation, as does site visits.

Having been involved in the creation and development of security cultures around the world I advocate using an awareness and vigilance programme as the vehicle to drive home the messaging, subsequent understanding, and behavioural changes. This programme should be transparent, auditable and must be proactive in nature.

The awareness and vigilance programme should be designed to do the following:

• •Provide tools to enable proactive participation in security efforts.
• •Enable understanding of threats, risks and vulnerabilities that exist. (Awareness)
• •Provide content that enables understanding of individual responsibilities and organisational expectations (Vigilance)
• •Dovetail with security training and development programme(induction, managerial, through to specialist)
• •Include a communications strategy that ensures proactive, positive, and informative security messaging via a range of means.
• •Educate, Enable, Encourage, Empower the workforce to proactively protect the organization, and affirms that security is everybody’s responsibility.
• •Continually inform and maintain levels of security awareness and vigilance across the organization.

Once the structure of the programme has been created it should be endorsed, preferably by Senior Management to highlight support for the programme and expected engagement.

Because of the character of the programme and the need to maintain levels of awareness and vigilance across the workforce the delivery process must be proactive and continuous. There should not be a single delivery means and a wide range of delivery methods exist, limited only by the imagination. Some examples of delivery methods include:

• Intranet
• Town hall events
• Briefings
• PowerPoint presentations
• Posters
• E-Learning
• Merchandise
• Toolbox talks

I have used all these methods, and each has its merits. I have seen a team member briefing 120 personnel about the expectations relating to customer service that resulted in reduced complaints and increased professional behaviours. I have also seen posters explaining the importance of wearing badges or closing windows resulting in increased compliance and reduced breaches. Both simple, but effective examples.

The awareness and vigilance programme when proactively delivered increases greater understanding and awareness, which results in automatic compliance as opposed to it being enforced. It highlights ownership and affirms the adage that “Security is everybody’s responsibility!”

Finally, once the programme is running it is important that continuous reviews take place. This is important to evaluate the effectiveness of what has been developed and delivered but also for the fact that threats and risks to organisations are ever changing and so must the means of protecting the organisation, its assets, and people.

The benefits of introducing an Awareness and Vigilance Programme include the following:

• Increased understanding of security expectations.
• Clarity of roles, expectations, and consequences.
• A tangible and auditable means of delivery.
• Proactive security engagement and compliance.
• A means of delivering cross-organisational security messaging.
• A safer and more secure working environment.
• After time, an embedded SECURITY CULTURE!

About the author: Andy Davis is the Managing Director of Trident Manor and has been proactively involved in the delivery of organisational security planning, management, and delivery all over the world. He developed the specialist SAVE® programme as an awareness and vigilance tool that any organisation can use to increase security engagement, robustness, and ultimately a security culture.

For further details about how Trident Manor can help you increase awareness and vigilance, or to support your efforts in creating a security culture please feel free to contact us for more details.