One-Card Initiatives: Cultural Issues

Oct. 27, 2008
If employees don’t understand the purpose or uses of their new smart cards, it could hamper your success.

When people envision one-card initiatives (programs to implement a single smart card for both physical and logical security), most often they envision the technical aspects of the projects. However, a review of corporate one-card initiatives reveals that their progress can be significantly hampered by failure to attend to the personnel and organizational cultural issues involved in the technology deployment.

Takes a Licking to Keep on Ticking
Employees at Microsoft use smart cards to authenticate themselves on the corporate network when working remotely. Bryan Weinstein, a program manager in Microsoft’s product activation group, wrote a letter to the editor of the internal publication “Micronews” stating, “I wanted to know if there is any danger to licking our smart cards.” Weinstein said his card stopped working a while back, and the only way he could get it working again was to lick the contact area on the back that makes the connection to the card reader. Weinstein wrote, “I’ve been licking my card and I wonder if it’s like cancer causing or if I’ll grow a third eye or something like that.” He explained that the long lines to get a new card had so far stopped him from obtaining a replacement.

At a different company, an employee was seen walking out of the card issuance office holding his new smart card up to his lips. “I know you can hear me,” he said to the personnel he imagined were somehow monitoring the card. “I just want you to know that I don’t care!”

Another true story is that of the man who walked into his company’s security badge office demanding to know where his card had been throughout the weekend. He kept his security badge in the glove box of the family automobile, and he wanted to know where his daughter had driven the car. He is not alone in the assumption that because some smart phones have GPS capabilities, the location of smart card security badges can also be tracked.

While these stories are humorous, they do warrant consideration. If you state that your new access control system includes a muster feature to locate personnel in an emergency, you should explain that it works based upon cards being presented to a reader. Although that may seem to be obvious and not worthy of mention, don’t be surprised if employees jump to other conclusions if you don’t spell it out. Some of those conclusions will be based upon the perceived mission of security within the organization, some based upon “technology” presented in action and science fiction movies, and others based upon the organization’s corporate culture.

What Is Corporate Culture?

The term “corporate culture” is used to define the unique personality or character of a particular company or organization. It is the behavior that results when a group arrives at a set of rules for working together, often unspoken and unwritten, and adds up to “how we do things around here.”

Corporate culture refers to the shared values and practices of the company’s employees and includes such elements as core values and beliefs, underlying assumptions, attitudes, ethics, and rules of behavior. Corporate culture can be expressed in the company’s mission statement and other corporate communications, in the interior dA©cor of offices, by what people wear to work, by how people address each other, and in the titles given to various employees. The actual culture may or may not match the culture described in company literature.

How Culture Impacts Security
Although this article looks at culture primarily as it relates to a one-card initiative, in a broader perspective corporate culture is also an important security factor. Pamela Babcock, writing for the January 2004 issue of HR Magazine, relates the story of a major international corporation that hung signs in its hallways proclaiming that trust was one of its driving principles. Yet that same company had security personnel search employees’ belongings each time they entered or exited the building. This countered the company’s efforts at establishing a culture of trust and at the same time framed security in a bad light.

Babcock points out how cultural disconnects can impact security in other ways as well. Conflicting messages regarding corporate culture may create distrust and cynicism, which can be a factor in prompting—or helping employees to justify—actions as dramatic and deleterious as embezzlement.

Walter O. Baggett, writing for Internal Auditor in June of 2003, noted that many frauds occur in companies that have excellent internal control systems because the corporate culture allows managers and employees to look the other way, simply ignoring that controls are being overridden. Baggett states, “Given the realization that attitudes are as important as systems, the accounting literature and corporate governance standards have placed the responsibility for corporate culture squarely on top of the management pyramid because the board of directors and top management set the standards for an organization’s belief systems.”

What does all this have to do with one-card initiatives? First, that the success of any one-card initiative is dependent in part upon the broader corporate culture and the presence of a security culture within it. Second, the historically siloed nature of security in many organizations makes it likely that the one-card initiative’s implementation team won’t be aware of these cultural factors. Since corporate culture is important to the HR function as well, it can be very productive to team up with the right HR person to identify issues relating to corporate culture.

The Culture Within Security
The security culture within an organization can impact a one-card initiative. For example, a smart card rollout program requires a trained and helpful security staff. If helpfulness is not a part of the security culture, that culture will have to be changed prior to the rollout.

Cultural issues can affect both the cost and schedule of a rollout. In a 44-page white paper updated in 2005, titled “Smart Card Deployment at Microsoft,” Microsoft documents its rollout of smart cards for employee remote access to Microsoft networks and the administration of high-security systems. The smart card deployment project, which involved more than 70,000 cardholders, had the largest scope of any project in Microsoft IT history.

In the white paper Microsoft estimates that the deployment cost of smart cards was a one-time expense of approximately $70 per user, including labor for deployment, server hardware and enrollment stations. After deployment was completed, the maintenance and management costs for the Microsoft smart card infrastructure fell significantly. The cost for issuing, replacing or renewing a card where the card must be physically touched—such as when a new employee is hired or when a smart card is lost or broken—is approximately $26 per card (based on a 1.5% per user per month replacement rate). The annual cost per card for activities where the card does not need to be physically touched by support staff is considerably lower. For instance, the automatic renewal of a digital certificate carried on the card costs less than $0.40.

Thus we can see that there is a significant difference in cost between automated system actions and actions that require some level of staff involvement. Where education about the smart card program is weak and where company culture doesn’t foster employees embracing technological change, the level of staff involvement will be needlessly high during the rollout, with unnecessary schedule and cost increases resulting.

At one leading company, research showed that some employees had major misconceptions about smart card technology. The one-card team realized that if their program didn’t educate employees about the smart card deployment, employees would come to their own conclusions based upon whatever information or misinformation might be available.

The one-card team developed an internal Web site that was ready before the pilot and evolved as the program evolved. The Web site, which accepted feedback from employees, was the primary source of information exchange throughout the multi-year initiative. The one-card team also reported progress and announced details regarding timing and locations for badge distribution in company articles in print and online. The result: a smooth and on-schedule rollout.

Teamwork for Enterprise Rollout

Because one-card initiatives must include an educational component, security must partner not only with IT, but with HR (for personnel training and education, including new employee instruction) and perhaps Marketing as well (to help craft and package the company’s internal messages about the initiative). However, there are also factors that require collaboration with other business functions.

There are privacy ramifications with regard to storing information on smart cards. For example, U.S. Social Security Numbers should not be used as employee identifiers. There are regulations regarding the export or import of encryption technology on smart cards that affect international travelers and card issuance or usage in other nations. HR and Legal must be consulted on these issues. If any business units are U.S. federal government contractors who require access to government facilities, then HSPD-12 and FIPS 201 requirements also apply to the cards and the card issuance process.

Teach Your Employees
Achieving the understanding and buy-in required for a smooth enterprise roll-out of a one-card initiative requires educating the card users as well as the project personnel. Security education programs vary from organization to organization, with many programs being modeled after whatever was done in the previous year. The book Security Education Awareness and Training, by Carl A. Roper, Joseph A. Grau and Dr. Lynn F. Fischer, is an excellent reference to study prior to planning a one-card initiative.

The authors reviewed the general state of corporate security education and found that for many companies, security education consists of briefings, classes, lectures, and sometimes posters. Security education efforts were fragmented and not highly effective. Often security educators only looked within the security profession for ideas, not outside it. Thus instead of defining security education by the means and topics that are commonly in use, the authors decided to present this useful definition (p.2): “Security education is everything we do to enable people in our organization to carry out their roles in our security program effectively and reliably, plus everything we do to influence them to do just that.”

Security education includes conversations in hallways, statements made in individual e-mail messages, and comments made anytime. It includes both formal and informal means of communication. It can also include any action that we take, whether or not we are aware of it having an educational effect. Thus security education begins with educating ourselves on the impact of all our actions and communications as security practitioners, whether or not we consider them to be part of security education.

Make Them Aware
The authors of Security Education Awareness and Training also caution security managers to pay attention to the relative positioning of security matters compared to other company matters. They present the example of a company that required employees to attend in-depth meetings on a new promotion system, the inventory control system, and equal employment opportunity. However, when security had a new initiative, they simply passed out some paperwork for employees to read on their own. Their question: “How important will people think security is?”

Many aspects of a card rollout require consideration of company culture, such as the name of the initiative and the establishment of its objectives, the titles given to its key personnel roles, the design of the printed portion of the smart card, and its packaging and means of distribution to cardholders. Appropriately, one company chose to distribute their smart cards in the employee paycheck envelope. That is an envelope upon which all employees place a high importance. Additionally, the non-receipt of a paycheck envelope would be reported immediately.

Pilot the Project
“Lessons learned” material from many one-card initiatives, including the Microsoft white paper referenced earlier, recommend pilot projects to work out the kinks prior to full-scale deployment. Pilots in well-designed initiatives will not be solely technology focused, but will include an education component with the objective of inspiring cardholders and project team members to ownership and active participation rather than reluctant compliance or avoidance. Educational programs—whether large or small—require considerable preparation and planning in addition to their execution effort. Thus it is prudent to test their effectiveness as part of a roll-out pilot, and refine them if the intended results are not initially achieved.

Prior to a One-Card Initiative

Regardless of how near or far in the future a one-card initiative is, if your corporate culture doesn’t contain an appropriate security element or if you haven’t closely examined your corporate culture in light of its impact on security, now is a good time to start giving this factor some thought. The next article in this series will examine project timelines for one-card initiatives, which will include the educational component mentioned in this article.

Ray Bernard, PSP, CHS-III is principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard is a consultant and writer who has provided strategic and technical advice in the security and building automation industries for more than 18 years. He is also founder and publisher of “The Security Minute” 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.