Why You Need to Rethink the ‘Top-down’ Security Culture Mantra

security culture

During 2018 Google employees have very publicly aired their concerns over a clash between what the company says are important organisational cultural values and what, as employees, they have observed. Most recently, on November 1, more than 3000 employees in New York staged a “Walkout for real change”, and smaller groups walked out of their offices to protest in Dublin, Zurich, Berlin, Hyderabad, Singapore, London and Google’s home, Silicon Valley.

The clashes were caused by Google’s handling of sexual harassment claims and treatment of female workers, employees’ objections to the company working on defence projects in conjunction with the US military, and developing a search engine for China, which it is alleged would have increased censorship. These demonstrations of personal resolve involved walkouts, resignations and a letter submitted to the senior leadership team which went very public.

“We have a mantra: don’t be evil, which is to do the best things we know how for our users, for our customers, for everyone. So, I think if we were known for that, it would be a wonderful thing.”Larry Page, Founder of Google

In all these cases employees wanted to shine a light on the ‘cultural dissonance’ they saw – the gap between the values Google espouses and the ones they actually display (albeit allegedly often in secret). Employees wanted to hold executives and, in some cases, the senior management team to account for their behaviour or failure to fulfil their promises.

Creating a desirable security culture

So, is the mantra of “driven from the top” really an accurate reflection of all that needs to be done to create a desirable security culture?

The example of Google shows the need for organisations to rethink the widely held belief that security culture should solely be driven from the top down. There’s a sensible case that you need leadership to drive change, but it’s a risky choice to make it entirely their responsibility.

Our research into behaviour and culture highlights the role of the groups and peers we associate and interact with day to day as the overriding influence on our own values and choices. For almost everyone in an organisation that’s not going to be the executive board.

Security culture is not only driven from the top down. Our approach recognises the need to influence culture from the ground up and the side in, the importance of awareness and behaviour, and how they link with culture. Only by understanding the interplay between them can you start to create the positive change you want to see more quickly than relying on top-down change alone and, as the case of Google has shown, this is a two-way process.

Security culture training

We run regular workshops to help organisations that are serious about creating positive change delve deeper into these topics and get to grips with how to change their security culture.

If you’re interested in finding out more there’s information about our global Re-thinking the Human Factor Workshops here. Please feel free to ask us any questions in the comments below too.

Share