Find a Professional

Find a Professional

Security Culture Services

Information security is a people, process, and technology challenge.

Information security is a people, process, and technology challenge. Many organizations still depend primarily on technological solutions and products to protect themselves and their information assets. This bias towards technology increases the risk of security incidents and losses, and degrades the overall effectiveness of information security strategy. People-centric security represents a powerful new capability for managing information risk and security threats.

BRG’s Security Culture services offer a people-centric approach to enterprise security designed to improve and transform the “cultural firewall” of the organization. BRG experts have the expertise, skills, and resources to measure, align, and transform the human security infrastructure.

Our services focus on values, priorities, and behaviors, and enable companies to reduce their security risks while increasing enterprise security performance and efficiency. These services are designed to provide advisory support at every level of cultural transformation, from beginning steps to full transformation.


BRG workshops offer high-level, collaborative engagements designed to introduce clients to the principles of people-centric security and the measurement and development of cultural firewalls. The flexible and interactive workshops help clients set the stage for security culture transformation.

BRG experts provide advice, education, and coaching focused on understanding and improving security culture. Workshop content includes:

  • Understanding the link between security culture and performance
  • Understanding and assessing cultural risks and threats
  • Introduction to the Competing Security Cultures Framework (CSCF)
  • Culture measurement and shaping using the CSCF
  • Introduction to the Security FORCE Behavioral Model
  • Assessing highly reliable security programs using Security FORCE
  • Setting culture and behavior goals and objectives
  • Building a security culture transformation strategy
  • Leadership and communication in enterprise security culture


The BRG Security Culture Assessment (SCA) provides detailed, empirical analysis of enterprise security culture. SCA engagements allow clients to measure and visualize specific cultural types within the enterprise that impact security operations, to identify risks and conflicts between security cultures, and to formulate strategies for cultural improvement and transformation. SCA services leverage the CSCF, an industry model for security culture analysis.

During the SCA, BRG experts will measure and analyze one or more enterprise security cultures within the client environment. SCA activities include:

  • Identifying target security cultures for the assessment
  • Identifying goals and objectives of security culture improvement
  • Assessing security culture(s) using the CSCF and associated Security Culture Diagnostic Survey (SCDS)
  • Analysis of SCDS results and visualization of CSCF cultural types
  • Analysis of cultural threats and risks identified during the assessment
  • Recommendations for improvement or transformation of client security cultures to reduce risks and mitigate cultural conflicts
  • Aligning SCA results with other BRG Security Culture services, when included


The BRG Security FORCE Behavioral Analysis (SFA) provides detailed, empirical analysis of enterprise security behavior. SFA engagements utilize the Security FORCE Behavioral Model, an industry model for identifying highly reliable security programs. SFA engagements offer clients the ability to identify and measure whether they conform to specific security behaviors associated with highly reliable security practices that reduce risk, improve operations, and enable resilience.

During the SFA, BRG experts will measure and analyze the prevalence and strength of Security FORCE behaviors associated with highly reliable security. SFA activities include:

  • Identifying individuals, groups, or functions for Security FORCE analysis
  • Identifying goals and objectives of security behavior improvement
  • Analysis of target group(s) using the Security FORCE Model and survey
  • Analysis of Security FORCE results and creation of FORCE scorecards
  • Assessment of behavioral risks identified during the SFA
  • Recommendations for improvement or transformation of client security behaviors to create a more highly reliable security program


BRG Security Culture Transformation Planning (SCTP) brings the results of SCA and SFA engagements into the development of holistic, measurable, people-centric transformation strategies. SCTP engagements enable clients to evaluate the maturity of their cultural capabilities against goals and objectives for security programs and business performance, and to create defined paths for cultural improvement that will reduce security risk and increase security program performance and efficiency.

During the SCTP, BRG experts will assess current security strategy and maturity against organizational security culture, behavior, and priorities. CSCF and Security FORCE results will be correlated and used to build paths to improve cultural maturity. SCTP activities include:

  • Comprehensive analysis of enterprise security and business goals
  • Alignment of security and business goals with findings and results of security culture and behavioral assessments, including SCA and SFA
  • Analysis of current and future state security culture capabilities maturity
  • Analysis of current and future state cultural controls necessary for achieving desired security cultures and behaviors
  • Development of defined, measurable, people-centric strategy maps for achieving security culture transformation
  • Communication support and assistance for security culture transformation at all enterprise levels, from the board to users

Contact David Phillips for more information about BRG's Security Culture services.

Find out more about BRG's Technology Advisory practice.