Building the Business Case for Security Culture - New White Paper

A security culture revolution that’s good for your health!

Sarah Janes considers how bottom-up culture change helps you sleep better at night.

Isn’t it so often the case that as the people responsible for security we walk around with a permanent furrowed brow? ‘Oh, the problems, the challenges, the breaches!’ Some days it feels like we’re lurching from one crisis to the next. Occasionally we get to be the proactive problem solver, but our focus is always on the problems!

I challenge you to find a pocket of good practice…

So today, do something different: find somewhere that security practices are working efficiently, or maybe even thriving – find a pocket of good practice. Once you’ve located one pocket, it’s more than likely that others will either come, or be brought, to your attention. It’s an underrated natural law that whatever we pay attention to we’ll get more of. Go out looking for the problems and problems will oblige by proliferating. The same happens when we go out looking for what’s already working.

Now, this is not just a recommendation based on the personal health benefits alone, it is actually your first step to cultural transformation.

Challenging the assumptions of a top-down approach

It is generally accepted in business that if you want successful change then it needs to be supported, if not driven, right from the top. It is hard to imagine any other way of doing it; to think differently challenges our rational mind and our sense of an organisation’s natural order. Still, I bet you can recall more failed top-down change approaches than successful ones.

Those with the greatest vision and ability to lead security culture change are not necessarily at the top. And if they are, then it’s a difficult task to cascade their vision throughout the businesses without it becoming distorted.

What is a pocket of good practice?

For many years now, researchers in organisations have consistently discovered ‘alternative’ activity engaged in by employees who are not waiting to be told to follow the specified policy or procedure with regard to security. These grassroots initiatives are often very well intentioned attempts at improvement, with a start-point somewhere other than the top. These ‘pockets of good practice’ emerge when individuals develop a personal vision of what could be achieved in the business if only organisational practices were different. They use their initiative to begin implementing that vision within one isolated part of the organisation, often drawing a small number of like-minded people around them. This then develops into a ‘pocket’ where, through the inspiration of the leader, corporate habits, goals and assumptions can be challenged with the intention of improving business performance.

Finding pockets of good practice

There’s probably at least one pocket of good practice happening right under our noses, but if we’ve developed a problem-oriented perspective then it will most probably be located in a blind-spot we’re not even aware of. We should just take a moment to review our own perspective. If we’ve come to see our role as being primarily about the following: gaps, weaknesses, risks, threats, fines, poor behaviours, reprimands, compliance – then our perspective is probably a bit askew. And whilst we’re quite right to be realistic about the threats our organisation faces daily, we shouldn’t neglect the pockets of good practice which could prove the way forward for developing proactive cultural change.

So, tomorrow try this: as you walk into work, shelve the security problems for a few minutes and be on the lookout for what’s already working. Ask people about their experiences of proactive security; gather some stories, and pass them on to others as you go through the day.

You will find things that amaze you, and humble you. Better still, paying attention to what’s already working will create more pockets of good practice. Give it a go and – I promise – you’ll sleep a lot better tomorrow night.

Layer 8 specialises in developing security culture by creating opportunities for conversation and working from the organisation’s positive core. Take a look at our range of products at:

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email


View our other posts and insights

Scroll to Top