Culture is crucial for nearly every enterprise; a strong culture can lead to a successful organization and a lack of culture can cause an organization to be unsuccessful. These days, many enterprise leaders say that organizational culture is not only a key to success, but actually more important to success than strategy.
In a 2021 survey, 66 percent of the executives and board members who responded said culture is more important to business performance than overall strategy or operations. Moreover, 72 percent of senior management said their enterprise’s culture helps facilitate the success of change initiatives.1
One key reason culture is so important is that, in the broadest sense, culture serves as the tacit social order of an enterprise. It shapes attitudes and behaviors. Cultural norms define what is encouraged, discouraged, accepted or rejected within an enterprise.2 If the culture is aligned with the organizational mission and operations, and with the values and needs of staff, energy can be harnessed and applied to shared purposes and sustained performance.
For example, in an enterprise with a strong security culture, the staff collectively understands the importance of information security, and each staff member contributes to protecting the enterprise against security risk and threats. Similarly, an organization with a strong compliance culture will be staffed with employees who understand that they have a role to play in compliance. For many enterprises, security has become especially important due to the unprecedented challenges and disruptions caused by the COVID-19 pandemic. And yet, regardless of how important security is to a particular enterprise, organizational culture does not start and stop with security. An information security manager should understand all aspects of the organizational culture.
Assessing Organizational Culture
The information security manager can improve an enterprise’s cultural management and lead cultural change or even cultural transformation if needed. But a manager has to possess a solid understanding of the overall culture before undertaking a change initiative.
Gaining such an understanding can be tricky. Having a clear sense of what it is like to work and function within the culture does not constitute a working knowledge of that culture. To achieve that knowledge, a manager must be able to describe how the culture’s aspects and qualities influence workers’ actions. And the manager must be able to do this with objectivity, which can be difficult if the manager’s own behavior is influencing the culture.
This understanding can be gained via an audit of the organizational culture, which the information security manager can help lead. This type of cultural assessment process gathers information on the details of the culture by means of a question-and-answer format. The specific questions and the subjects interviewed depend on what is being assessed. For example, a chief information security officer (CISO) who wants to assess the culture of the entire enterprise could interview a few staff members from every department. Conversely, a cybersecurity executive who manages a security division with half a dozen workers might interview all the staffers in that department.
Assessment questions that fall under the behaviors category can help managers identify gaps between the existing culture and the culture they aspire to create.
Staff interviews are not the only method of assessment. If such interviews are not possible, managers can significantly improve their understanding of the culture by self-testing—that is, asking the questions of themselves and answering as objectively as possible. One of the goals of this process is to do a deep dive into the culture and learn about its underlying assumptions and values.
As a precursor to the assessment, a manager should think about the overarching theme of the initiative: What type of culture or cultural features does the manager want to create, and why? For instance, if a department produces (or wants to produce) IT security solutions, one of the key objectives is for that department to be as innovative as possible. In that case, the manager might want to create an agile and collaborative culture in which staffers at all levels make contributions, ideas are easily shared and employees are encouraged to work as members of creative and freewheeling teams. With that goal in mind, several questions posed as part of the assessment might be geared toward ascertaining whether the culture supports actions and behaviors that facilitate seamless teamwork, the creation of new ideas and a collaborative environment. Questions aimed in a different direction could also be valuable. For example, in some situations, does the culture reward selfish performance, not sharing credit and working in remote silos?
Culture Models
Following conceptual models may be helpful when conducting cultural assessments. For example, one model divides the culture into five categories: behaviors, relationships, attitudes, values and environment (BRAVE).3 These five categories can be used when formulating assessment questions.
Behaviors
Cultures reward behaviors in different ways. Compare, for example, two markedly different organizations: the US Navy and a Silicon Valley (California, USA) open-source coding enterprise. In the US Navy, one operational error can sink an entire ship, so a strict command-and-control structure with fixed rank stratification and officers who ensure that orders are carried out to the letter reinforces the importance of clear directives and regimented operations. In contrast, the culture at an open-source IT enterprise may be such that staffers are not punished for disregarding a suggestion by the chief executive officer (CEO) if they think that acting on the suggestion would conflict with the enterprise’s ultimate mission to protect information.
Assessment questions that fall under the behaviors category can help managers identify gaps between the existing culture and the culture they aspire to create. For example, does the current pay and benefits structure reward successful teamwork and collaborative accomplishments?
Conversely, behaviors can be detrimental to the culture. For example, a manager who flies off the handle and berates team members, or one whose body language and facial expressions seem closed off and forbidding, may unintentionally be cultivating an oppositional culture of anger.
Behavior-related assessment questions may include:4
- Which workplace behaviors are rewarded and, thus, reinforced?
- Which behaviors usually face negative consequences?
- Is there a gap between requested (by management) behaviors and rewarded behaviors?
Relationships
Webs of relationships and different levels of communication are present in every workplace. Even social networks that are casual and informal can be important, having a positive spillover effect on operations by enhancing opportunities for collaboration and strengthening teamwork. Carpools, happy hours and recreational outings such as golfing or hiking can be bonding experiences, and those who share such experiences may feel in sync with one another at work. Research has found that employees who consider at least one coworker a close friend are more likely to say they are engaged at work.5
In contrast, employee rivalries and resentments can hinder operations. For example, some enterprises encourage good-natured competition as a motivator and a means of increasing performance levels. However, such a culture may lead executives to believe they are all competing for promotions, which may prevent them from working well together.
Relationship-related assessment questions may include:6
- Who talks frequently to whom?
- Do effective working relationships cross departments?
- Do rivalries simmer?
- Do social networks exist behind the scenes?
- What are they?
Cultures in which antihero stories dominate may reflect an enterprise that is floundering.
Attitudes
Some successful enterprises promote a positive-attitude transfer philosophy—the idea that if management shows care and concern for staff and if employees do the same for one another, customer service will be improved. In some cases, the culture encourages positive interactions among staffers but tolerates fewer positive attitudes when dealing with customers. This can create an environment in which team members bond and commiserate with one another about customer issues, but customer service is poor, which can lead to business problems, such as lagging sales.
Attitude-related assessment questions may include:7
- Is the workplace atmosphere casual, formal or a mix of both?
- Are edgy joking and banter encouraged, tolerated or dissuaded?
- How are suppliers, customers and other external stakeholders treated?
Values
Cultural values are often embedded in the stories, recountings and anecdotes told about an enterprise and its people. Some of these stories take on a folkloric feel and are often told to new employees, some are cautionary tales about notable failures, and some are about heroes and antiheroes.
A hero might be an outrageously fun worker or an admirable manager—someone who bolsters the culture. An antihero may be someone who was vanquished in some way—a bad leader who was toppled or a toxic worker who was shunned—because that person’s behavior was damaging to the culture. Cultures in which antihero stories dominate may reflect an enterprise that is floundering. Similar to traditions and mores, stories are key components of culture, and much can be learned from them.
Value-related assessment questions may include:8
- What stories or legends do people tell about the enterprise?
- When are ceremonies held, and what is celebrated?
- Which values are communicated implicitly/internally vs. explicitly/externally?
On-Premise Environments
The environment offers many visual clues to culture. Office décor is often reflective of culture. Humorous photos of staff members joking around and cartoonish figures or bobbleheads perched on cabinets may suggest a friendly and upbeat workplace. Alternatively, rules posted in prominent places can reflect a culture of fear. Furnishings and office structures also offer clues. Walled-off interior offices that do not afford views of those working inside may be indicative of a closed off work environment or culture. Of course, these visual signs are clues, and they do not definitively define a workplace; however, they may be helpful signs to an observer to understand the overall workplace culture.
Logos, symbols and brand expressions are often used to reinforce culture, and they may reflect morale. A colorful logo with a clever design may indicate a sense of innovation and thus may be suggestive of creative operations. In contrast, an outdated or confusing logo may be a clue that the culture needs to be modified and invigorated.
Sometimes, a key component of the cultural change process is a series of policy changes that have impacts throughout the enterprise.
Environment-related assessment questions may include:9
- What is the feel and atmosphere of the workplace during working hours?
- Is the workplace filled with closed-off offices or is it more open to collaboration?
- What do the enterprise’s logos and brand symbols connote?
Changing the Culture
No culture is perfect. But sometimes the assessment process makes it clear that there is a wide gap between the culture the enterprise aspires to (i.e., one closely aligned with its operational goals and mission) and the current culture. This indicates a need for change or even transformation if the gap is large enough.
There is no one-size-fits-all formula for the cultural change process. Enterprises accomplish change in a variety of ways, using whatever methods and resources are at their disposal. Obviously, the process is not immediate, and it cannot be done by simply changing the physical environment, such as moving to a new office.
Sometimes, a key component of the cultural change process is a series of policy changes that have impacts throughout the enterprise. For example, changes in the pay structure may reward productive behavior more effectively. Programs can be introduced to improve staff relationships, and training can be implemented if behavior or attitude modifications are needed. The result of such changes, if successful, can be an improved organizational culture where staff are more engaged and motivated, teams are closer and more collaborative, and employees are more aware of the well-being of their coworkers.
Bolstering Risk Culture
To illustrate this process, consider an example scenario that involves culture change in the area of risk culture.
Risk culture, which can be thought of as a subset of an organization’s overall culture, can be defined, in essence, as an organization’s behavioral norms regarding risk that come with the execution of operations and strategy.10
For this example, an assessment of an organization’s risk culture reveals that it is not as healthy as the organization would like, including unrealistic profit goals that spur some workers to take inadvisable high-risk actions to hit their targets and some workers are attempting to inflate metrics to maximize reported revenue. The assessment also revealed that a cultural attitude of avoiding losses at all costs is resulting in many employees playing it safe and failing to strive for innovation. In addition, some senior managers do not fully understand the risk faced by front line workers.
There are policy changes that leaders could make to strengthen this organization’s risk culture. One change could be the implementation of more sophisticated business analytics tools that could yield data analysis that would support more realistic profit goals. Another could be an audit of the organization’s metrics with the goal of moving to more granular monitoring that makes manipulated metrics easier to detect and correct. In addition, the organization could change its pay incentive structure to better reward innovation and increase its internal business communication initiatives featuring risk vs. reward and loss vs. gain scenarios. Manager training programs could also be improved to focus on awareness of the situational risk faced by front line employees.
Strengthening Compliance Culture
Another example of culture change can be viewed through examining compliance culture. When an organization has a robust culture of compliance, all employees understand that they have a role to play in compliance, and they do their part to ensure that compliance rules are followed.11
For example, say a culture assessment at an organization reveals a weak culture of compliance. The organization has had difficulties complying with industry-mandated and legislative standards and sometimes faces penalties. Moreover, many employees do not have a clear sense of the role their individual work plays in the organization’s compliance landscape.
What policy changes could leaders make to strengthen this organization’s compliance culture? One solution is to change the organization’s onboarding process so that new employees learn from the start that compliance, ethical standards and ethical business practices are crucial to the organization’s core values. Compliance leaders could work with human resources (HR) managers to add compliance discussions to new employee orientation programs.
Moving forward, compliance officers could look for more opportunities to speak with workers about compliance issues. This could be done during lunch-and-learn sessions where compliance teams share real-life success stories involving employees. It may also be helpful for officers to break down compliance issues into accessible and demystifying terms and describe how they might play out in day-to-day operations. Organizations can also increase the funding and resources for compliance-related programs, such as new training programs for employees on compliance issues and risk and compensation rewards for excellent compliance-related performance.
The Role of Governance in Culture
Historically, many boards of directors (BoDs) have not been very active in overseeing their organization’s culture. This may be because boards are often distant from the daily operations of the organization, so they may not have a clear sense of the strengths and weaknesses of its culture.12 However, boards can and should play an important role in the organization’s effort to maintain a strong culture. For example, when conducting performance reviews and succession planning, board members may include the executive’s ability to manage culture as a factor worthy of examination. Similarly, board discussions and evaluations of the organization’s business strategy can also include a focus on culture and its impact on performance.
If a BoD feels that a culture change is needed, it may hire additional staff or change-agent leaders to spearhead the cultural transformation effort. Alternatively, new lower-level hires can help the organization become more inclusive and diverse, changing the culture from the bottom up.
It is important for board members to realize that they, too, are part of the organization’s overall culture. They should consider the tone that their actions set at the top and how they can model positive behaviors.
Conclusion
It is crucial that information security managers and leaders understand all aspects of an organization’s culture, and this can be accomplished through an assessment or audit of the culture.
Although there is no one-size-fits-all formula for organizational culture change, organizations should examine BRAVE; modify policies and programs when necessary—including reviewing specific subsets, such as its cultures of risk and compliance—and ensure that the BoD plays a supportive cultural role in setting the right tone from the top.
Endnotes
1 PricewaterhouseCoopers (PwC), Global Culture Survey 2021: The Link Between Culture and Competitive Advantage, United Kingdom, 2021, http://www.pwc.com/gx/en/issues/upskilling/global-culture-survey-2021/global-culture-survey-2021-report.html
2 Groysberg, B.; J. Lee; J. Price; J. Y. J. Cheng; “The Leader’s Guide to Corporate Culture,” Harvard Business Review, January/February 2018
3 Bradt, G.; “To Be One of the ‘Best Places to Work,’ Build a BRAVE Culture,” Forbes, 18 April 2002, http://www.forbes.com/sites/georgebradt/2012/04/18/to-be-one-of-the-best-places-to-work-build-a-brave-culture/?sh=5af6cb4412eb
4 Tarallo, M.; “Creating Culture Together,” Security Management, April 2016
5 Mann, A.; “Why We Need Best Friends at Work,” Gallup, 15 January 2018, http://www.gallup.com/workplace/236213/why-need-best-friends-work.aspx
6 Op cit Tarallo
7 Ibid.
8 Ibid.
9 Ibid.
10 Smith-Bingham, R.; “Risk Culture—Think of the Consequences,” Marsh and McLennan Companies’ Global Risk Center, Bibliotece de Sequrança, 2015, http://www.bibliotecadeseguranca.com.br/en/livros/risk-culture-think-of-the-consequences/
11 April, M.; D. Jones; “Building a Culture of Compliance,” CM Murray LLC, Lexology, 3 March 2021, http://www.lexology.com/library/detail.aspx?g=a3d1a040-e24a-4b18-9cc7-bf722b2359da
12 Anderson, G.; M. Anderson; J. Lee; What Do Boards Need to Know About Corporate Culture?, Spence Stuart Board Services, USA, 2015, http://www.spencerstuart.com/-/media/pdf%20files/research%20and%20insight%20pdfs/brdscorpculture_012515.pdf
MARK TARALLO
Is the former senior content manager for ASIS International and senior editor of Security Management magazine. He is the author of Modern Management and Leadership: Best Practice Essentials With CISO/CSO Applications.