Security Culture
Security Culture
How is your security? Companies are increasingly exposed and vulnerable to external as well as internal security threats. Threats can be aimed at people, IT systems, processes, information and assets of importance to the company, and such threats can place both corporate finances and reputation at stake.
As a consequence, many companies already work with security in the form of policies and contingency plans, IT security and physical security measures. These are good first steps, but they are not always sufficient. Security must be integrated in the working routines and culture of your organisation. Otherwise, the effects of these steps will be limited and there is a risk that your security investments are going to waste.
It requires a concerted effort to create the necessary security awareness among employees and to ensure behaviour, which does not expose the company and individual employees to unnecessary risks. CERTA can help clients develop a security culture which ensures that your efforts are successful and increase the organisation’s robustness, with benefits for the entire company.
What is a sound security culture?
CERTA Intelligence & Security works to strengthen the security culture in companies. A sound security culture is realised when a thorough understanding of the company’s values, vulnerabilities and risks permeates the entire company. Where a good security culture is present, actions and approaches that support security and safety are prioritised and considered a natural part of the company’s business operations.
How do we develop and maintain a sound security culture?
CERTA has developed an approach for its work with security culture, which draws on tools from organisational development along with change and security management.
The approach includes five elements:
- 1. Presentations to corporate management
- 2. Situation analysis
- 3. Selection of change strategies
- 4. Implementation of said strategies via specific change management tools
- 5. Documentation, evaluation and potential adjustment of work tools
The individual elements support each other, but they can be weighted differently, depending on the company’s concrete needs. CERTA can assist during all or select phases and offers all-encompassing solutions, as well as specific services and assistance.
It is our experience that a good security culture doesn’t only concern the protection of the company and the safety of its employers, but also contributes to increased:
- Employee satisfaction and loyalty
- Organisational flexibility, adaptability and learning.
The concept of working with security culture is relevant for both companies and public authorities alike, who desire to develop or maintain a good security culture. It is a management tool, and requires a solid commitment from leadership to produce the desired effects.
How CERTA works
CERTA works methodically and analytically with security. Our approach emphasises preventive efforts and building up appropriate security behaviour, which will support the company’s long-term strategic goals.
In collaboration with the individual company, CERTA can contribute to building a balanced and holistic security culture, which is adapted to the concrete needs of the company, its character and culture.
CERTA’s concept for working with security culture is based on experiences from both Denmark and abroad. CERTA’s advisers in the field have worked strategically, operatively or tactically with security culture and security behaviour in many institutions, including the police and intelligence services.
The elements in CERTA’s approach to working with security culture:
1. Leadership
A good security culture requires a strong commitment by leadership to the security work.
CERTA will deliver a presentation to the company’s leadership with a focus on organisational development, change management and security culture to establish a common understanding of what security culture and appropriate security behaviour is, as well as how security can be thought of in conjunction with broader strategic and leadership efforts.
The presentation will accompany a dialogue about the company’s security related needs.
2. Situational analysis
A situational analysis bases itself on qualitative interviews with selected employee groups and/or a broader quantitative investigation.
CERTA delivers:
- Qualitative interviews and quantitative investigations
- A map depicting leadership and employee perceptions of security, which illustrates the strengths and weaknesses, and agreements and discrepancies in these perceptions.
- A ranking of the company – and eventually particular units within that company – in relation to its environment and risk profile.
- Recommendations about where to most efficiently focus efforts to develop and maintain a security culture which meets the company’s needs and expectations.
3. Choice of Change strategy
The choice of a change goal – and strategy – will base itself partly on an analysis of the company’s ability to effectuate change and partly on recognized organisational change and change management theories.
CERTA delivers:
- An analysis of the company’s ability to change
- Recommendations about which type of security culture best fits the company’s needs
- An outline of the desired goals with regards to strengthening the security culture.
- Recommendations about which security change-management strategy best answers the company’s goals and expectations.
- A map of which resources are available and which obstacles can be expected during the change process, based on the mapping of employee perceptions.
4. Implementation of the strategy via concrete change tools
CERTA designs and produces a portfolio of concrete change measures adapted to the company, and eventually differentiated according to the different units within that company, with different risk profiles and needs. This can concern:
- Communication plans
- Presentations of tailored security solutions
- Scenario-based games that target specific security challenges or employee groups.
5. Documentation, evaluation and eventual adjustment of work tools.
CERTA applies a combination of observation, qualitative interviews and quantitative investigations to help a company document and evaluate the impact of the implemented measures. CERTA collects and assesses data, and compares it with the results from the original situational analysis.
CERTA delivers:
- Collection and assessment of data along with impact assessments, compared to the original situational analysis.
- Recommendations for adjustments of the applied work tools
- A “maintenance plan” to ensure that the obtained impact is maintained
WANT more information?
Jakob Scharf
Executive Director / Co-founder, CERTA
Former Director, PET
