When we hear the term ‘changing the culture of an organisation’ many of us are guilty in assuming this process is somewhat linear in its mathematics. Simply put, all you really need to do is subtract the ‘what not to do’s’ from the ‘what we expect you to do’ and there you have it. Simple right?
Wrong. People are complex and more often than not, what they say or do is not symptomatic of what they really mean or believe. Change is habitually avoided because people fear change, so imagine putting the two together. Our simple linear sum is now looking more like a theory of relativity equation.
As a result, any attempt at a change management programme is pumped full of caffeine and is sprinting 120mph down the race-track quicker than you could say security awareness, however no finish line in sight. Throwing at it every resource known to man; eLearning, blended-learning, instructor-learning, computer-learning, all the learnings, until you’re left blue in the face wondering why, when it comes down to it, nothing has actually changed?
Gestalt principles advocate that the whole is greater than the sum of its parts; that generating change goes beyond understanding the oxford dictionary definitions of culture and behaviour as separate entities. There’s no denying the relationship between these two concepts: culture influences the performed behaviours and behaviours are performed in line with the culture. So now we are faced with a far more complex problem, where do you start? Do you attempt to change the culture and hope the expected behaviours follow (not an easy nor recommended route), or do you compile a list of ‘don’t do’s’ and hope that employees will eventually cop on and do the right thing (because we all know how often that happens)?
The first step I believe is to really know your organisation and its culture. Now I’ve mentioned ‘culture’ seven times already **reads back to count**, so it’s kind of a big deal. It’s the new fad term that all cyber professionals are banging on about, me especially, but what is it really? Let’s really try to understand from a ‘I’m a normal human-being with a job, a mortgage and a life’, perspective of what we mean by culture.
Culture is everything you see, and don’t see, within the organisation. It’s the clothes people wear to work, the small-talk at the coffee machine. It’s the professional email courtesy to management right down to social interactions to the outside world. Company ‘X’ is company ‘X’ because of all these things and these things truly matter. It’s only by putting in the effort, to understand your employees and organisation, can management obtain the change they need. There is no ‘one size fits all’ approach to cyber security culture change.
Throughout these blogs I’ll be talking about security awareness programmes; their designs, the delivery and everything in between. What works, what doesn’t, and quite frankly what absolutely not to do! Now be warned there may be the odd buzz word in there but rest assured I will be avoiding all corporate waffle as much as possible. This is changing cyber security culture of organisations…. The real way!!