Creating a Security Culture
THE CULTURE of any organization is defined by shared attitudes, values, and practices that support a mission. In security, the primary mission is the protection of people, information, and physical assets, such as facilities. The goal of any security leader should be to establish and encourage a culture that maximizes the support of this mission. At one government contracting firm, the senior manager of information assurance (IA) established an effective security culture by enlisting all employees in the security mission.
When the senior manager arrived at the firm two years ago, there was an IA department, but the staff was small and overworked. Tasked with overseeing the protection of information, including classified materials, for the company’s government contracts, the IA team had a critical function within the organization. However, the company had no long-term strategy regarding information security issues.
IA staff members spent most of their time working on government accreditation requirements, leaving little room for other critical issues, such as tracking classified information and educating employees on national security data protection. In addition, due to its size and complexity, the company faced many challenges in getting up to speed when there were changes in government-mandated security requirements.
Senior leadership supported the overall security program in principle. However, participation from individual product-line vice presidents varied. Some fully participated in the IA program, and some delegated the responsibility. In instances where the department leader delegated authority, IA failed to get the necessary attention. A lack of metrics meant that there was no way for senior leaders to benchmark or grade existing security efforts in each product line.
The senior manager initially served as a product line security manager, reporting directly to the vice president in charge of IA. In this capacity, the senior manager led meetings to provide education, training, and metrics on the product-line security program. A few months after he began his new position, an annual audit took place. After careful analysis, it was determined that his efforts at the product-line level contributed to a smoother, more accurate audit. As a result, the program was implemented across all of the company’s product lines.
The senior manager was then selected to lead a companywide IA program. To make the program a success and positively affect the security culture at the company, the senior manager focused on four areas: teambuilding, cultivating relationships, demonstrating value, and communicating effectively.
Building the Team
Building a team that could help protect security information was a top priority for the senior manager. Hiring more IA personnel was not financially feasible. So, to create a companywide team and take the pressure off the beleaguered IA staff, the senior manager developed a plan we’ll call the integrated security program (ISP).
Under the program, which represented a major change at the firm, members of product teams volunteered to become the security contact for their respective groups. These employees provided security information to the product team and also reported the team’s compliance to security. The program shifted the security presence from an isolated group of IA employees to members of each product team. The goal was to make security a partner rather than an outside enforcer and to spot challenges before they blossomed into crises.
The ISP program was strictly voluntary, and no departments were pressured to join. However, over the course of several months, teams with an ISP member reported better security compliance, and more departments asked to join. ISP membership gradually grew from a team of 12 to more than 70.
A key component of the program was that it enhanced the career advancement opportunities for participants. The ISP training program included a robust orientation program, professional certification opportunities, and an opportunity to participate in project development. ISP members were often the first to be promoted, making the program even more popular.
To cultivate relationships with employees and instill a greater sense of ownership in the security process, the senior manager launched biweekly meetings with product-line employees. He not only provided information on how to handle sensitive data, he also told them why they should do so.
The senior manager acquainted employees with the National Industrial Security Program Operating Manual and explained how its tenets were relevant to daily operations at the company. By giving employees the rationale for security procedures, he gained their support. In addition, he conducted safety tours for senior managers so that they could see how front-line staff enhanced security and safety.
Additionally, through the ISP program, the senior manager was able to cultivate personal relationships across all levels of the enterprise, both in and outside of the security staff. To win over employees, security had to become a proven business partner in addressing problems. The senior manager and his team invested much of their energy in building relationships with the company’s employee and management population.
For the program to get resources and flourish, it needed the support of corporate stakeholders. To garner that support, the senior manager developed relevant metrics that could communicate the program’s effectiveness in business terms.
For example, IA delivered quarterly audits of all information systems to the company’s executive committee. The senior manager devised a detailed checklist that paralleled those used in the government audits. This made both the information and the format of the audit familiar to all stakeholders.
Metrics were collected on any training weaknesses and detailed statistics were compiled on paperwork completion, physical security controls, labeling, briefings, and system configurations. Separate metrics were kept on incident reports, including the outcome of any investigations, and on implementation of new technology.
Communicating Effectively Communication was viewed as one of the most critical elements in developing the company’s security culture. The ISP program brought security on board as a member of the team and not as an obstacle to success.
As a result of the new relationship, the senior manager and his IA team were often consulted about nonsecurity items. That higher level of communications gave IA an opportunity to become more knowledgeable about the entire organization, which made it more effective.
The IA system has been so successful that the company is sending the senior manager on a one-year assignment to implement the program at another of the company’s subdivisions.
A company can tell that it has succeeded in establishing an effective security culture when security attitudes and practices go from tolerance to acceptance. At that point, there is a greater chance that employees will follow security protocols even without anyone looking over their shoulders.
Deborah Russell Collins is the executive director of the National Security Training Institute. She has worked in the security industry for more than 30 years and currently serves on the ASIS International Defense and Intelligence Council.