Organisational Culture. The Root of Security Enablement by Cúchulainn Morrissey

                Culture, although an ultimately intangible force can prove to be one of the single greatest obstacles or enablers of security. To quote the philosopher Charles Handy, culture can be viewed as “the way we do things around here”, a simplistic description perhaps concealing the behemoth beneath. As organisational psychologists have deliberated over for decades, the way we do things is the amalgamation of our collective values, behaviours, and beliefs as initially role-modelled by the organisation’s leadership. This role-modelling unquestionably impacts on every facet of the business from strategy development to the allocation of resources and much more. So how does this affect us as security practitioners?

               

We have all heard the statement “culture eats strategy for breakfast”, however, the very real implications of it are often felt in daily security operations, from management right the way down to supervision and frontline operations. A culture that appreciates the role of security will enable security to be more effective while admittedly, often we may be met with a culture that tolerates rather than embraces what it is we do. While this is not meant as a criticism, understanding the intricacies and implications of organisational culture can better allow us not only to engage more effectively with our organisations but to understand the “why” behind our organisations’ behaviour and how we are expected to integrate with it.

                Previously, in issue 6 of TPSO, I wrote an article about developing the organisational influence of the security function, in this issue, we will explore the environment in which we’re building that influence and how our approach may be helped or hindered by the culture in which we find ourselves entrenched.

What Is Your Organisation’s Culture?

                Organisational culture is often defined as the “accepted standard of behaviour” within an organisation. While this is an almost universally accepted definition, to a degree it disregards the underlying beliefs that act as the guiding hand of what is deemed acceptable behaviour. You see, organisational culture is altogether more dynamic than a company motto plastered above reception or a set of words printed on a company lanyard, true culture is the organisation’s values embodied in each and every employee in their words and actions. How many times have you read company values that include words such as “integrity, accountability, and diversity”? Noble words indeed, but without actions that embody, reinforce, and celebrate them, they remain corporate jargon.

                This is not to say that all organisations that claim to have similar core values are being ingenuine, many have good intentions, however, their execution of those intentions may fail them and thus the actual culture of the organisation is heavily distorted from the original vision or in some cases the polar opposite. Likewise, there are organisations that deliver on their core values and develop a strong culture that not only embodies their initial values but also related values which serve as a testament to their vision and leadership and ultimately benefit the business as a whole.

                So, ask yourself what does acceptable behaviour look like in your organisation? Be honest with yourself, you may not even be aware of your organisation’s core values but you will likely be familiar with how people behave in the organisation and how their behaviour is received by others. Are you satisfied with your organisation’s standard of acceptable behaviour? Do you feel that as a professional, you can develop and flourish in that environment?

Culture: A Security Obstacle

                So, you’ve developed a well-rounded skill set, learned the vernacular of influencing figures, extended the olive branch to other departments in an attempt to grow the influence of security in your organisation and you’ve gotten to the point where CPD is your new religion. You are the consummate professional and you’re positively bursting with fantastic ideas that will reduce risk across the board, save the company a small fortune and make everyone look good in the process…but no one wants to listen.

                Do not take it personally, perhaps the organisation’s culture is not receptive to, or may even fear change, after all, most people are not particularly fond of change, especially radical change. Security for the uninitiated can be difficult to understand and even more difficult to appreciate regardless of how well it’s presented, however, an organisation that continuously fails to acknowledge the value or even potential of the security function is doing itself a disservice. Perhaps, security in this hypothetical organisation is regarded as somewhat of a nuisance and hence the security function is fundamentally undermined because it lacks support from leadership and finds itself isolated from the organisation’s otherwise unitive culture. The security function, in this case, is subject to intense scrutiny, even suspicion, likely the result of poor prior experiences on the half of the organisation, a heavily hierarchical and/or rigid organisational structure, or simply herd mentality has formed because of poor role modelling.

                Regardless of the reasoning for the continuous denial of ideas or outright hostility toward the security function, environments that undervalue security or any other function of the business for that matter risk creating a culture of blame and denial. A culture that normalises this behaviour puts itself at greater risk as it evidently lacks the appetite for change and thus faces a future in which “the way we do things” becomes an excuse for poor foresight.

Culture: A Security Enabler

                Just as culture can prove to be an insurmountable hurdle over which any attempt to jump seems to fall short, it can also prove to be a driving force behind our ideas and innovations. This is not to say that a culture of enablement automatically accepts everything at face value, far from it. If anything it scrutinises our thinking even further, however, unlike a culture of inertia this is to refine our thinking and ultimately benefit the organisation in the long-term. Essentially the old adage of steel sharpens steel applies, we have to be willing to accept that to take a little we have to concede from time to time too.

                Cultures that enable innovation, breed collaboration, and embody their core values are by default environments of mutual respect. This mutual respect is the open door that allows our influence to shine and begin to impact positively on the organisation if handled responsibly. Of course, mutual respect is not merely achieved by being astute professionals as we’ve seen. It’s the result of various factors including but not limited to facets such as the role of security in the organisation, the behaviours of the organisation’s security leadership and, of course, leadership as a whole, long-held beliefs and perceptions, etc. If any of these facets are overwhelmingly negative, resistance is inevitably going to develop regardless of our best intentions.

                An organisation whose culture enables security is one that understands its role in the organisation, perceives it to add value and is willing to have its processes questioned for its betterment. This is not to be mistaken for the idea that everyone has free reign and can do as they please but that the organisation allows for flexibility and shortens power distance when necessary. If this sounds like your organisation, you may find that this type of culture not only allows your department to excel but instils a desire for you to see others excel, enablement further breeding enablement.

Contributing To Culture: Be The Change You Want To See

                Admittedly, much of this article has focused on negative aspects of organisational culture, that is not to say that cultural awareness is a path to inevitable disappointment. If anything, being realistic about where our organisation currently stands better enables us as security practitioners to contribute to the strengthening or outright overhaul of the organisation’s current culture. While it remains true that much of organisational culture comes from the top down, it is not impossible to influence culture from the bottom up and this may be where you stand as the catalyst for change.

                Change will not happen overnight and you must keep in mind that it is likely your colleagues may have been adhering to the same way of operating for quite some time, hence the reason for change must be clear, communicated consistently, and led by example. It is only through achieving the accountability and buy-in of your peers that change will not only become viable but attractive. A positive mindset and willingness to explore the middle ground is an absolute necessity in the quest for cultural transformation, as villainising individuals or entire departments is counterproductive and serves only to burn bridges and contribute further to the culture you may find yourself dissatisfied with.

                While this article has merely touched on the complex topic that is organisational culture, the takeaway point is that only through understanding our current culture and contribution to it can we begin to enable ourselves and our peers to nurture a culture of security enablement.

Cúchulainn Morrissey

Cúchulainn is a security supervisor for a prominent cultural property in the south of Ireland. Cú has operated extensively on behalf of blue-chip multinational organisations and cultural properties along with providing training to new security industry practitioners. An advocate for professional development and member of a host of professional bodies, Cú founded Cork Security Society, a social forum for Irish security industry professionals in 2019 with the aim of providing regular, free CPD opportunities to frontline security operatives.

Connect with Cú – https://www.linkedin.com/in/cumorrissey/

Join Cork Security Society – http://corksecuritysociety.ie