TCDI is pleased to announce the release of an important and timely white paper, “Developing a Security-Oriented Corporate Culture.” Organizations that do not develop a security-oriented corporate culture are risking fraud, loss or misuse of data, and even legal responsibility when information is compromised, according to the white paper written by Eric Vanderburg of TCDI.

Eric, Director of Information Systems and Security at TCDI, wrote the white paper as a means of informing clients that corporate culture is a vital aspect of information security. Readers will benefit from his detailed analysis, which is available free online.

As the white paper makes clear, “the greatest security initiative may fail because of an incompatible corporate culture.”


Developing a Security-Oriented Corporate Culture

Eric Vanderburg
2016


Introduction

Managing the security of an organization can be quite confusing. It can seem like an uphill battle when basic security awareness concepts such as keeping passwords secret or refraining from discussing confidential topics outside the workplace are consistently ignored. Why do some security initiatives fail while others succeed? The answer may lie within the corporate culture.

This white paper will define corporate culture and explain how to conduct a cultural assessment at your organization.  It will then identify the characteristics of a security-oriented organization and share tips on how to develop these traits within your corporate culture.

Defining Corporate Culture

Corporate culture, also known as organizational culture, is the invisible lifeblood of a company made up of the values, priorities, assumptions, and objectives of those within the organization. Just as the body rejects an incompatible organ, the greatest security initiative may fail because of an incompatible corporate culture.  To determine if such a disconnect exists, a company’s current organizational culture should be assessed to identify its level of security-oriented awareness.

Conducting a Cultural Assessment

The objective of the cultural assessment is to discover the characteristics of a corporate culture in order to determine whether or not security is viewed as a priority. Assessing a corporate culture requires critical thinking and analysis because it lies underneath the surface.  It is the model employees use for conducting their regular activities and the basis for evaluating options and ideas.  As such, it is not something that can be understood just by observing employees’ actions and opinions within the current climate.

In his book “The Corporate Culture Survival Guide” Edgar H. Schein, a professor of management at the MIT Sloan School of Management, outlines a three-tiered method for understanding and identifying corporate culture. The three levels depicted in Diagram 1 begin with artifacts and gradually move deeper to espoused values, concluding with shared tacit assumptions (1999, p. 15).

Diagram 1: Edgar Schein’s three levels of understanding corporate culture

The artifacts observed at the first level include easily visible items such as cooperation, attitude toward work, office layout and the number of levels of management. Additional examples can be seen in Diagram 2. It is here where observers can make initial assumptions about culture. But first-level artifacts, while interesting, are still only pieces of data.

Diagram 2: Level 1 cultural artifacts

The second level involves asking questions to understand why the artifacts exist. The answers to these questions will illuminate the espoused values present within the organization. Uncovering these values is important because two cultures could share the same values while using vastly different methods to reinforce them.  For example, one organization may utilize extensive training to prevent social engineering and have an open policy on information while another conducts little training but relies heavily on the “need-to-know” principle. When asked about these artifacts, members of both companies may state that they do this out of a desire for privacy and confidentiality.

To aid in discovering these values, Chia, Ruighaver, and Maynard created a model that can be used to evaluate the quality of an organization’s security culture. The model builds on previous work by Detert, Schroeder, and Mauriel (2000) on the values that make up an effective Total Quality Management (TQM) culture. The researchers applied the TQM framework to corporate culture, organizing it into eight cultural categories or “dimensions” as can be seen in Diagram 3.

Diagram 3: Chia, Ruighaver, and Maynard’s eight cultural dimensions

The first dimension, the basis of truth and rationality, is concerned with how employees view current security initiatives and policies. Questions in this dimension identify whether or not employees see their company and its procedures as secure. The second dimension is the nature of time and time horizon. Questions in this dimension determine whether long-term, short-term, or both long and short-term security goals are important. Motivation, the third dimension, addresses how employees are motivated to put security into practice. The fourth dimension is orientation and focus. This dimension centers on whether the responsibility of creating security initiatives belongs to the business itself or the government.

The fifth dimension is stability versus change, innovation and personal growth. This dimension is centered on how much the culture embraces change. The sixth dimension is the orientation to work, task, and coworkers, and is concerned with how responsible employees feel about security and the impact that its initiatives have on others. The seventh dimension, isolation versus collaboration, deals with the amount of cooperation that exists between employees. The final dimension, control, coordination and responsibility, addresses the alignment of security and organizational goals and the direction in which directives flow.

Exhibit A contains a series of questions that can be used to identify elements of corporate culture. Such a cultural assessment can begin by posing these questions to various people within the organization. The answers to these questions will differ between people, thus, illustrating how an individual’s perception differs from the actual culture.

Once these dimensions have been evaluated and the espoused values determined, a company can move on to Schein’s third level: shared tacit assumptions. It is here where culture is understood as a concrete assumption rather than an abstract value. Shared tacit assumptions are the unspoken and implicit underpinnings of the workplace.  These assumptions arise out of a history of success and are reinforced by further successes.  This process forms the experiential knowledge that almost subconsciously governs decision making in the future.  In explanation of the concept, Schein argues that as a firm grows, leaders will attract others with similar values and beliefs. Just as children are socialized by the factors in their environment, after each success, present values become more internalized by the members of a company and accepted as the proper way to act.

Inherent Traits of a Security Culture

Research points to certain organizational traits that significantly impact security culture.  Michael Caloyannides, an information security researcher and senior fellow at Mitretek Systems, writes that some traits that are essential in a security-oriented corporate culture include the freedom to ask questions, respect for privacy and an environment of creativity. Chia, Ruighaver, and Maynard are credited for their mention of long-term thinking and embracing change, and they along with Koh et al. highlighted valuing information security.

Together, these traits of embracing change, valuing information security, having an open environment, promoting creativity, respecting privacy, and thinking long term will help a corporate culture become more security-oriented.

Embracing Change

Members of a security-oriented culture must be open-minded and able to adapt to a changing environment. Emerging social and technological threats, along with changes to regulatory requirements and legal processes, compel companies to be able to adapt accordingly to remain successful and to better serve their clients.

Valuing Information Security

Some employees have little regard for information security. They may not conform to security policies or may even bypass security controls entirely. If so, then altering this mindset will be the most important change that will need to be made to create a security-oriented culture.  Chia, Ruighaver, and Maynard argue that the belief that security is of the utmost importance can be reinforced by increasing the participation of employees in making security decisions.

Koh et al. conducted similar research on security governance. Their study demonstrated that participation is the primary factor contributing to increased responsibility and sense of ownership of security initiatives. As a result, greater participation levels also motivate employees to be more security-conscious and take responsibility for the security of their own projects and clients.

Creating an Open Environment

Along with increasing participation with security initiatives, an open environment where people are free to ask questions without consequences is required by an organization looking to create a security-oriented culture.  Too often, organizations accept information given by sources such as the media and government at face value without questioning the source’s bias or impetus.  While recommendations by sources are useful as a base for creating or improving security initiatives, they do not necessarily encompass or address critical vulnerabilities faced by individual companies.

It is the employee’s responsibility to discern in detail what is heard and read and ask questions as to how the information can be adapted to fit the company’s specific needs.  By providing an open environment for initiating such discussions, a company is increasing participation while generating new ideas to protect its operations better in the future.

Promoting Creativity

Creativity allows employees to think outside of the box, ask the right questions and produce innovative solutions. Companies depend on creativity to combat malicious efforts to gain access to confidential data.  Attackers themselves are very inventive when it comes to the exploits they develop, and countering them requires the same level of ingenuity.  As such, Caloyannides cites the need for an environment that promotes the innovations of individuals within a company as an essential part of corporate culture.

Respecting Privacy

Without respect for privacy, even the most engaged employees will find it difficult to implement a security-oriented culture.  Caloyannides states in his 2004 IEEE Security & Privacy article “Enhancing Security: Not for the Conformist” that privacy is often sacrificed for what is perceived to be better security.  In actuality, that perceived security is just an empty solution with no real value. A culture that respects the privacy of employees and clients will embrace policies and technologies surrounding confidential information.

Thinking Long Term

By working on developing a security-oriented culture, a company has already begun developing long-term thinking.  Security is not something that can be continually patched; it must be properly designed and thoroughly analyzed.  Some companies can become so preoccupied dealing with immediate needs that they do not give enough attention to their long-term objectives.  By creating attainable goals with long-term elements, a company can set itself up for success and foster a culture of security that will reinforce the strategy and goals it advocates.

Changing Corporate Culture

It is hard to perceive corporate culture and even harder to manipulate it. As was previously noted, the complex cultures of organizations can be revealed by conducting a cultural assessment. What is often revealed, however, is that the present culture is inhibiting compliance with new legislation, regulations, and security initiatives.  As a result, changes must be made.

A popular method used by businesses today to change corporate culture is based on Kurt Lewin’s “Change Management Model” of Unfreeze-Change-Refreeze. The first part of this model, unfreeze, includes preparing a company to accept that change is necessary and creating a sense of urgency.  Communication is essential because if employees understand why change must happen, then they are more willing to accept it.  Encouraging employee participation and soliciting their input can also lead to better results as well.

Diagram 4: Kurt Lewin’s change management model

After the values have been challenged, the second stage of change can begin.  The change step is a difficult one as employees are asked to put theory into practice and start doing things differently.  It is important to realize it will take time, coaching, documentation, and plenty of communication before changes will begin to take effect.

When enough changes have successfully taken effect, such as implementing the traits previously discussed, the company can move forward into the third and final stage: refreeze.  At this point, it is important to create stability through ongoing training and reinforcement of positive behaviors so that employees do not revert to their old habits.  The goal is for the changes to be embraced throughout the organization and incorporated into the standard operating procedures.

It is important to remember that corporate culture is not something that can be altered overnight. It has evolved slowly over the lifetime of the company and has become firmly ingrained throughout the organization.  To change it successfully takes careful planning, strategic thinking and constant reinforcement.  Celebrating the company’s success with the employees who made it possible further encourages people to continue striving toward the company’s new security-oriented culture.


About the Author

Eric Vanderburg is the director of information systems and security at TCDI. TCDI ’s consulting practice is a trusted resource for law firms and corporations whose litigation technology needs are as varied and specialized as the organizations themselves. TCDI’s international consulting practice focuses on the application of technology solutions to today’s challenging business and legal demands, including information security consulting, litigation document management and online review, electronic discovery, legal analytics and review and computer forensics.

Vanderburg is a graduate from Kent State University with a Bachelor of Science in technology and a Master of Business Administration with a concentration in information systems. During and after his education he worked as a consultant specializing in the development and maintenance of information management and network security systems for businesses, law firms and government agencies.  He was a professor of computer networking at Remington College where he taught courses on information security, database systems and computer networking, and he has been invited to speak at many organizations and campuses on technology and information security.

Vanderburg joined TCDI in 2006 to manage information systems and security for TCDI and its clients. He holds over 25 vendor certifications including Certified Information Systems Security Professional (CISSP), Holistic Information Security Practitioner (HISP), Certified Wireless Security Professional (CWSP), Hitachi Data Systems Certified Professional (HDSCP) and many certifications from Microsoft and Cisco.

About TCDI

Since 1988, TCDI (Technology Concepts & Design, Inc.) has partnered with large corporations and law firms to provide advanced litigation support software and services for electronic discovery, hosted review and production and large-scale litigation case-file management. The company combines advanced technology and automation with superior client partnerships and has been a technology partner in some of the largest litigation in U.S. history. To learn more, visit www.tcdi.com.


References

Blake, S. (2000). Protecting the Network Neighborhood. Security Management. 44(4), 65-71.

Caloyannides, M. (2004). Enhancing Security: Not for the Conformist. IEEE Security and Privacy, 2(6), 86-88.

Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Exploring Organisational Security Culture: Developing a Comprehensive Research Model. Proceedings from IS ONE World Conference, Las Vegas, USA.

Chia, P. A., Ruighaver, A.B., Maynard, S.B. (2002), Understanding Organisational Security Culture. Proceedings from PACIS2002: The 6th Pacific Asia Conference on Information Systems, Tokyo, Japan.

Detert, J., Schroeder, R., & Mauriel, J. (2000). A Framework For Linking Culture and Improvement Initiatives in Organisations. The Academy of Management
Review, 25(4), 850-863.

Koh, K., Ruighaver, A.B., Maynard, S., Ahmad, A. (2005). Security Governance: Its Impact on Security Culture, Proceedings from the 3rd Australian Information
Security Management Conference, Perth, Australia.

Lewin, Kurt (1947). Frontiers in Group Dynamics: Concept, Method and Reality in Social Science; Social Equilibria and Social Change.  Human Relations, June
(1947), 1(1), 5-41.

Ruighaver, A.B., Maynard, S.B., & Chang, S. (2007). Organisational Security Culture: Extending the End-user Perspective. Computers & Security, 26(1),
56-62.

Schein, E.H. (1999). The Corporate Culture Survival Guide: Sense and Nonsense About Cultural Change. San Francisco, CA: Jossey-Bass Publishers.

Von Solms, B. (2000). Information Security – The Third Wave? Computers and Security, 19(7), 615-620.

Want, J. (2006). Corporate Culture: Illuminating the Black Hole. New York, NY: St. Martin’s Press.

Whiting, R. (1999). Warehouse ROI. InformationWeek, May (735), 99-104.