The Organization Module is the second module of the Security Culture Framework. In this module, you are figuring out who to involve in organizing and running your security culture program as well as spending time defining different target audiences.
The people to involve for organizing your work with security culture are not limited to the security department. It is vitally important to involve and include expertise from a number of different areas, the three most obvious ones are:
- The C-level executive from whom you will need active support
- Human Resources – They usually know more about culture than security people
- The Marketing department – They tend to understand communication better than security people
Defining target audiences is marketing speak for understanding that different people are, well, different. Demographics differ – age, sex, interests, life situation and so forth.
For your security culture program it makes sense to understand the differences that your organization comprises. For example, there may be a huge difference between how people in your sales department act and communicate when compared to a similar size group dealing with accounting, ICT or production. Understanding these differences, and using those differences when designing your security culture program may be the difference between fail or success.
The Organization module provides templates and methods to use.
Anchoring and Motivation
In many cases to build a security culture is a form of change management. For most people it is easier to accept new things, changes and extra work if they understand why.
To spread the message across the organization of why this program is going ahead some of the meaures you can take are:
- Create ambassadors or champions – Invovle and incetivize people to spread the message across the business
- Information meetings with good tailored communication – Provide regular and timely information
Motivating and creating a balance of the needs of an individual are closesly linked. One of the communication strategies to use is where the focus is on why it is important to create a security culture is recommended.
Tailoring the message is important.
Handling resistance in the Organization
Human nature is such that there will always be a natural resistance to change. It’s not unheard of for people and even organizations so say…”well we’ve always done it this way, why change now?”
Building a security culture is essentially a case of organizational culture. For that reason it is important to prepare, plan and to detect resistance at an early stage and most importantly to be able to manage it effectively.
HR departments usually have alot of experience in understanding people and their resistance to change and how to watch for and manage any issues. You should foster good relationships with them!