Large organisations such as the Metropolitan Police and the CBI have recently come under criticism for having cultures that enabled insider misconduct. But what is organisational culture? It can be surprisingly difficult to define. Broadly, it’s how people in an organisation understand how things are done. It encompasses behaviours, working practices, norms, use of language, and even stories. But one thing we have found consistently in our work is that an organisation’s culture has a strong bearing on security and insider risk.
How can organisational culture affect security culture?
An organisation’s culture emerges out of its goals, purpose, structure, size, history and people. Last year, we did a fascinating piece of work looking at whether it was possible to have a common security culture across a range of organisations of very different sizes and types. In the process we gained a lot of insight into the ways that organisational culture can exert pressure on security culture. I’d like to share some of those insights with you.
As a way of helping us think about the effects of organisational culture on security, we adopted a commonly used organisational culture framework called the Competing Values framework (Cameron & Quinn, 2006). This uses a culture measurement tool called the Organisational Culture Assessment Instrument (OCAI). It classifies organisational cultures into ‘clans’, adhocracies’, ‘hierarchies’ and ‘market cultures.’ We wanted to see what challenges these types of culture create to good security. We also wanted to explore how they might be harnessed to foster good security behaviours.
’Clan’ cultures are one big (usually) happy family. People have a lot in common, they share values and there is a strong sense of loyalty and tradition. People know each other and look after each other, and there is an emphasis on teamwork and consensus. Conflict is seen as destructive and avoided if possible. Outsiders can feel unwelcome and excluded, and external scrutiny is not always welcome.
Clan cultures exist in parts of the police and in the health service, and there is actually a lot that is good about them. People like working in them – always a big plus when it comes to reducing insider risk. But the downside is that people close ranks when things go wrong and cover up mistakes and misconduct. Rules are bent to avoid conflict, and poor behaviour is tolerated because no-one wants to rock the boat.
Adhocracies are flat, dynamic, individualistic and risk-taking. Tech companies like Uber and Twitter, in the early start-up years, spring to mind. Individual initiative is encouraged, and people are licensed to move fast (and break things!). People don’t expect too much support from others or give much in return. Processes and rules are kept to a minimum, and rule breaking may be tolerated (and even encouraged) in the interests of creativity and getting things done. There is clearly a balancing act here for the leaders of these companies. Rules and process can indeed get in the way of innovation and creativity. But with too much free rein, important things get broken – people behave carelessly or selfishly, which can end up putting your assets and your staff morale at risk. Too little organisational cuddliness results in people feeling they don’t owe you anything and walk off with your IP. It's a really difficult call.
By contrast, in hierarchies everything is about rules and process. Banks and government departments are typical examples. The organisation has everything covered, and people know they are ‘safe’ as long as they stick to the rules. But while this can be good in terms of compliance, it’s not always great for security – or indeed for creativity and delivery. In a world of constantly evolving threats and technology, there can’t be rules for everything. This means you need to give people the knowledge and authority to make informed, risk-based judgments when they find themselves in complex or uncertain situations. A rule-bound culture disincentivises this by generating transgressions and then punishing them. As a result, employees become risk averse and ‘risk-deskilled’. They also become demotivated through a lack of personal autonomy and a sense of being controlled. In these types of organisations, we typically find that security measures which are part of a compliance regime are adhered to religiously. Meanwhile, equally important security measures which fall outside the regime are ignored or neglected.
Market cultures are competitive, driven environments where managers work their people hard and expect results. Although these types of organisation have all the usual HR and welfare trimmings, these are not places where people feel they can put up their hands and ask for help. High levels of stress and burn-out are common. The focus on the ‘what’ over the ‘how’ means that peripheral things like staff well-being and security can fall by the wayside. Shadow security practices can develop, whereby people pay lip-service to the rules but are allowed to circumvent or ignore them in practice. It is common in such organisations for high performers to get a pass when they behave poorly or insecurely, creating a feeling of ‘one rule for them and one rule for us’ among colleagues. Leaders may decide that the benefits of a pressured workplace outweigh the risks – but in high stake environments like defence manufacturing or pharmaceuticals it can be really important to understand the risks associated with burnt out and resentful staff.
Foundations of good security cultures
A good security culture will look different depending on whether you are a defence organisation or a dental surgery. So, it is worth understanding what kind of security culture you need before you go messing with your organisational culture in order to achieve it. We have done a lot of work to help companies work out how to resolve the tensions between the culture which drives their business and the security behaviours needed to protect it. But whether your organisation is all about fingerprint entry systems and employee monitoring or whether it lets people work from the beach on their laptop, we believe there are two things sitting at the core of all effective security cultures. The first is clarity about the level of risk the organisation is willing to take in pursuit of its business goals. The second is the commitment and involvement of the whole workforce to the business of protecting the organisation. Without these two, all other efforts to establish a strong security culture are likely to founder.
About the author
Dr Susanna Berry is the behavioural science lead for the insider risk consultancy in Blacksmiths Group. She previously spent a thirty year career in a range of foreign policy- and national security-related roles in UK government.