How do you take a security awareness program from checking the boxes to being a truly integrated security culture? First, you have to reframe your mindset, says John Rodriguez, founder of Empathic Security Cultures LLC. Rodriguez has been a security practitioner for 40 years and has honed and learned these skills over time, studying over 100 companies. Now, he wants to share those lessons learned through Empathic Security Cultures.
Rodriguez has held security leadership positions at a number of organizations in the past, including General Motors, Levi Strauss & Co., Cardinal Health, Temple-Inland and Kimberly-Clark, holding responsibility for physical security, workplace violence and other risk mitigation initiatives.
He says that there are two parts to building effective physical security and successful security culture within an organization. One of those pieces is the operational component, including technologies, policies, training and procedures. “That’s the science of security,” he says.
The other component is the art. “The art is the human aspect to security,” Rodriguez says. “It’s focusing on the psychological, the philosophical, the social, and how to influence people at all levels — from the CEO to the third-shift employees — to agree to protect each other and provide information so you can address any security deficiencies.”
Security leaders can focus on the art of security to build an integrated security culture that sits on top of the culture of the overall organization. A true culture not only helps security leaders force multiply their staff by encouraging all employees within the company to act as ears and eyes of the security team, but if a security culture of trust and empathy is created, it can reduce burnout of both security and non-security employees, as well as reduce stress and trauma from the job, according to Rodriguez.
In other words, he says, psychological safety is just as important as the physical security component. If you can provide that to employees on an organizational level, the security of the organization will be all the better for it. “You can bring a lot of value to the organization if the people that work there feel safe and secure,” he adds.
When focusing on culture building, education — or rather, telling the story of security — is critically important, and this is where the art of security comes into play. “I don’t use the term security awareness; I like to call it security requests because we are asking everybody in the organization to help protect one another. It’s a very complex thing, and you can’t force people to do it. You have to build a culture, build buy-in and build trust so they want to help contribute to that culture,” Rodriguez says. One of the ways to do that is through connecting with people.
For large, national or global organizations, Rodriguez says, there are three levels of opportunity to build those connections and tell security’s story:
- C-suite
- Business unit level (emergency management, health and safety, HR, legal, regional units, etc.)
- Site level
While C-suite and business unit buy-in are crucial to establish a culture and achieve company-wide sanctioned support behind security’s relevance, the site level is, ultimately, the place where a strong connection begins and ends. “Those site-level employees are the ones that create credibility of your programs [in the eyes of other employees]. Collaboration and commitment from the site level will ensure a stronger culture,” Rodriguez says.
Connection on such a level requires security leaders to understand what drives people and what’s important to them to get them to embrace security’s message rather than view security from a compliance mentality.
The easiest place to begin building those connections is to identify advocates within the organization at all levels. Advocates or supporters are those who are willing to speak on behalf of security and help further the culture and mission by positively reflecting its mission and values. Those advocates that are willing to help tell the story of security and connect with people on a personal level can help security teams break down barriers and create a sense of trust with others.
But, while supporters are important tools for security teams in culture creation, the naysayers shouldn’t be ignored, according to Rodriguez. “The naysayers will be the people that don’t like security or think we are corporate cops out to get them in trouble. I run toward those leaders, learn why they feel that way, and ask them to give us a chance,” he says.
Security leaders should formulate and practice a plan (either formal or informal) that the function will follow, focusing on: who to connect with; how to connect with them; defining elements of the program, values and mission the security function hopes to share; and verbalizing goals of what the security culture would look like.
A component of the plan should be practicing stories that are designed to communicate the importance of security and to connect with others on a personal level, drawing out empathy and buy-in. “Connect with people, tell them your story, and be open to listening to their stories. When you can listen and connect on a level of story, one person at a time, you will make changes happen,” Rodriguez says.
Though the steps of building a culture sound simple when deconstructed, the path is not a linear one and will not only take years to develop, but also require patience, persistence and agility on behalf of the security leader. “The dynamics of business and people are always in flux, and you have to have that in mind and be prepared to adapt to the changes,” Rodriguez says. “You will not develop a security culture overnight. It takes time, one person at a time.”
For more information on building security cultures and integrating security awareness into an organization, visit:
How to build a culture of security
Security awareness training key to changing security culture