If your organisation was an animal, what would it be? Is your organisation a risk taker? Short sighted? Perhaps it’s slow to react? I’ve worked for elephants, giraffes and even a hyena. Animals and organisations both have their behavioural quirks and ways of optimising their survival chances in their particular environment. However, what worked in the past isn’t always the best survival tactic in the present. Sometimes organisations need to adapt due to factors such as customer demand, regulatory changes or new environmental risks. Behaviours adopted in the mistaken perception that they are helpful can even be self-harming and may need to change.
Last month we discussed information security culture and the shared underlying unconscious assumptions of staff that frame it. This month we talk about how to go about trying to change security culture. Changing the culture of an organisation can be a significant challenge and I’ve seen many efforts fail.
There are three things you need to know before you start. Firstly, you need to identify what problematic behaviours exist. Secondly, you need to understand what beliefs, attitudes and unconscious assumptions are enabling them. Thirdly, you need to know what cultural values you’re aiming for to re-align the organisation’s behaviour towards it’s key goals. Potentially, this means the ‘un-learning’ of one set of beliefs and the learning of a new set.
Broadly, successful culture change requires three components:
- There needs to be evidence of a problem or a failing in the organisation’s ability to cope. Some cultural change experts such as Edgar Schein refer to this as ‘disconfirming data’. Cognitive dissonance can make it difficult for people to admit they’re in trouble. Causes might be misattributed without adequate supporting data to factors such as ‘seasonal variances’, ‘market movements’ or my favourite security scapegoat, ‘idiotic users’. The more fundamental problems of systemic failing processes and system design mistakes are glossed over. Therefore, to be effective, the disconfirming data needs to be robust and presented in a way that makes it indisputable. For example, ‘our security processes are too complicated’ can be disputed where as ‘our staff perceive our security processes as too complicated’ cannot since the perception is valid for those who hold it. Also, it’s important to have recognition of ownership of the problem. If staff are able to claim that the problem is ‘over there’ with another department then they are unlikely to accept a need for cultural change.
- The disconfirming data must relate to key organisational goals. There’s a brilliant quote from Milton Friedman: ‘Only a crisis, actual or perceived, produces real change’. It’s important that the evidence of a problem relates to a key organisational goal and raises fundamental questions about the survival or the organisation or the purpose of it’s existence. If the failing is not directly relevant to the organisation’s core goal or can be explained away then there is unlikely to be a cultural change.
- Staff need to feel safe in trying new ways of working to change the organisational culture. This aspect is frequently overlooked in cultural change programs. Trying new ways of working is time consuming and can lead to mistakes due to unfamiliar ways of working. Consider that for many staff, working slower and making mistakes is not an attractive prospect. It’s important that staff feel that new ways of working will not be criticised by peers and that mistakes in the name of adaption will be tolerated and not punished by management.
It’s important that all three ingredients are present in order to successfully promote a culture change. Is your information security awareness campaign struggling to promote safe behaviours? Maybe it’s coming into conflict with other organisational values such as speed and cost? Perhaps it’s time to dig a little deeper into the underlying attitudes and start looking at a cultural change programme.