Leading by example

Building a robust security culture is central creating a successful security strategy within any organization. Here, I had the opportunity to discuss with two industry leaders — Kirsten Provence, Executive Director Security Programs & Governance at Kaiser Permanente, and Kristine Raad, Chief Security Officer at General Motors, their approaches to security and creating a positive culture from the top down.

“It really doesn’t matter what industry you’re in, security is everyone’s responsibility. However, you can’t just say that and not give people the tools to drive security and resiliency,” says Provence. “People, at their core, want to be empowered, and by providing them with some key components to enable them to be a security ambassador, an organization is essentially scaling its security apparatus by a huge magnitude.”

“Security culture to me is made up of the beliefs, values, attitudes and behavioral norms the organization and its employees have toward security,” says Kristine Raad, Chief Security Officer at General Motors. “An organization’s security culture is truly the driver of their policies, investment decisions, risk awareness and day to day actions; all of which are the outward expression of the culture.

Contributing to a positive security culture

When it comes to building a strong security culture in an organization, transparency and communication is key.

“People have to know what measures are in place in order to assess what additional tactics they may need to employ to increase security,” Provence says. “As with anything, communication is key. The more that an organization can provide topical messaging to team members about security, the more that those team members will think about security as a continual thread in their daily operation. That’s not saying that security organizations should be releasing multi-page intelligence summaries for the general population of an organization to consume, but a quick one-page graphical flyer that gives some key takeaways on a topic can be incredibly powerful.”

“Creating a positive security culture is no simple task and requires a comprehensive and consistent strategy,” adds Raad. “This includes:

1. Building a positive attitude towards security through education, marketing and leadership messaging focused on the benefits to individuals and business interests.
2. Ensuring leaders are onboard and model the desired behaviors to create norms for their teams.
3. Creating awareness of key concepts through engaging training and micro learning.
4. Communicating key principles and policies at all levels of the organization on a regular basis through a variety of channels.”

The role of leadership

When it comes to shaping or fostering a security-conscious culture within an organization, both Raad and Provence say it is important for the message to come through leaders from the top down.

“Building the organization’s security culture begins with leadership clearly defining core values through strategic goals and policies, communicating with consistency and modeling the behavior through their actions and decisions,” Raad says. “Leaders are absolutely critical in creating a positive security culture. When they model behaviors including a positive security attitude, compliance with policies, and decision making that supports security initiatives, they are establishing social norms and expectations for the behavior of their teams and others.”

“As with many things, shaping a security-conscious culture starts at the top,” Provence adds. “That means leadership must set the example of how they want their team members to engage with security every day.”

For security leaders looking to enhance their organization’s security culture, these leaders offer this advice.

“Start talking and empower your security team members to do so too. Your CSO isn’t the only face of security. All team members are, and they should be empowered and trusted to do so,” Provence says. “Give them some high-level talking points about the security organization’s top-line goals to use as conversation starters, and then they can take the conversation down their area of expertise on their own. It will connect their work to the larger mission and will scale the power of the ‘CSO elevator chat’.”

“Start by identifying what your security culture goals are for the organization and what gaps exist between your current and desired state,” Raad says. “While this sounds simple, determining the measurable attributes and desired outcomes is the most important step. I recommend engaging with strategic partners and leaders to gain their support and ensure alignment to overarching organization goals which is essential to successful culture change.”