What people say shows up in their mission statements and public speeches. What they do shows up in their day-to-day actions, but to find beliefs you need to go a bit deeper. One of the best ways to understand the beliefs of employees in your organization is to conduct a cultural audit. This doesn't have to be a formal exercise. It can just mean talking to people and listening to their responses. Do people feel security is important? Do they act like security is important? If people don't really believe security is important, you can make the best case in the world for your security projects, but it will fall on deaf ears.
Listening is one of the hardest skills to master for managers who are used to giving orders. But it is critical in going beyond statements to truly understand the beliefs and actions that shape culture in your organization.
Culture matters most when you have to change it. Culture has been called the "residue of success." It embodies the qualities that have made the organization successful in the past. But in a changing business environment, the drivers of success in the past may not be the same as the ones needed for the future. Many new security initiatives require significant changes in how employees think about and conduct their business. How do you go about changing culture?
Simply talking to people about changes is never enough. You have to show them what change means in terms of their day-to-day behavior. There is a difference between asking employees to be more vigilant and asking them to call a tipline if they see any suspicious activity, no matter how small. You also need to put incentives in place and encourage them to act differently. Then you need to keep checking to see if they believe what they are doing is making a difference. It takes time to realign people's behavior.
This means you need a lot of patience to change culture. It is not going to happen overnight. Old habits die hard. Sometimes managers leading changes lose patience with the process. They express their frustration and then this leads to more resistance from people in the organization. The resistance, in turn, results in more frustration and you enter a "doom loop" that destroys the initiative. Patience is very important. Give people time to change.
By paying attention to culture, security executives have an opportunity to create a "security culture" where security guidelines are part of the fabric of doing business. They are not something that people think about only when there is a crisis. Security is in the backs of people's minds while they are doing their jobs. This "culture of security" can raise the level of security for the entire organization and makes the security executive much more effective in developing and implementing new initiatives.
Learn more: Business Management Skills for Security Executives
Columns and interviews with Wharton/ASIS program professors are regular features on SecurityInfoWatch.com. The Wharton/ASIS educational program is designed to superbly stimulate security improvement through educational reform by promoting better business comprehension and decision making by security executives. If you are interested in this program, please call 800-255-3932, ext. 4401, or send an email to firstname.lastname@example.org.