Updated: Feb 1, 2020
How do you develop a strong security culture without concrete information about the threat?
By: Juan Bernal
Accepted authority rests first of all on reason. If you ordered your people to go and throw themselves into the sea, they would rise up in revolution. I have the right to require obedience because my orders are reasonable.
— Antoine de Saint-Exupéry, The Little Prince
As mentioned before, education regarding a threat is crucial to fostering a security culture, but many times there is no sufficient evidence to substantiate a credible threat, or, if there is, this information is of a classified nature. This presents a real problem because you want a strong security culture to develop inside your organization, but you don't have the facts and figures to convince your staff that a threat is real. This phenomenon is very common and is one of the biggest obstacles to develop security culture. When we don’t believe that a threat is real, we believe that effort is not warranted, and that is where regulation, incentives and punitive measures have to come in, to make sure that at least there is compliance before culture is developed.
So how do you develop a strong security culture inside your organization without clear information on a specific threat? Some people try to do it by lying to their staffs, some try to exaggerate claims or simply cite world trends, news articles, best-practice manuals, loosely related events or similar cases that have affected the same sector or industry in different geographic locations. The stories vary, but it is rare to find management that addresses the issue candidly and directly. I once heard the director at a research facility that operates radioactive material tell this to his 100 employees after unveiling a new security system at the facility:
I’m not aware of any threat to our facility as of now. You and I know that our city and our neighborhood are safe. Nothing has happened here before, but even though we believe the threat is low, I want us to engage in a campaign of prevention. I encourage you to follow our new security procedures and to take good care of our new equipment. If we operate our security well, the day that someone wants to attack or steal from a site like ours, they will go to the one with the worst security, and that will not be us. We can't allow an event like that; as remote as it may be, it would put the livelihoods of our families and the security of our neighbors at risk.
It was a remarkable speech. The director of the installation trusted his people enough to share the truth and his rationale with them. Instead of educating his staff on a threat (which he had no information on), he decided to educate them on his motivation and interest. This education was powerful enough to convince his staff to voluntarily assign priority to security tasks and procedures in the absence of regulation or a substantiated threat. Today this site displays some of the highest RID performance metrics of any of the security systems that we measure around the world.
Simply put: A high level of security culture is achievable but not without education. Changes in behavior only occur when a team understands why those changes are necessary and what their role is in the transformation. If there is a credible threat, educate your staff on it. If there is no information on the threat, inspire, and if you can't inspire, regulate while you take the time to educate. Only when you focus on an effective education will you be able to start building a strong security culture.