Security teams worry quite a bit about what goes on within their respective organizations. When that focus on internal people, process, and technology is dominant, a Governance security culture is the result. Governance is the practice by which these resources are effectively managed and sound decisions are made about how best to do so. Governance security cultures focus on balancing bureaucratic control with independent judgment. Processes and standard practice drive and limit choices, but professionalism and expertise allow flexibility when required. Doing the right things is just as important as doing things the right way; otherwise the organization risks executing perfectly on the wrong objectives. Members of this organizational security culture view risk as emerging from bad decisions, not bad policies, since policies themselves are a form of organizational decision making. You tend to find Governance security cultures in large, bureaucratic organizations that must rely on education and professionalism to drive good behavior, even under uncertain and volatile circumstances.
What Is a Governance Security Culture?
Governance security cultures, in the context of the Competing Security Cultures Framework, combine the values and characteristics of Process and Trust security cultures. They are inwardly focused primarily, concerned more about the functioning of the organization itself than how it interacts with outside entities such as regulators. Priorities in this culture are developing good standardized practices, but combining them with shared responsibility and awareness. Governance security cultures recognize that there can’t be a policy for everything, and yet good decisions must still be made. Therefore, education and empowerment are necessary to ensure good judgment in unfamiliar situations. For security teams, this can result in a highly bureaucratic security program that is supplemented by a robust security training, awareness, and culture (STAC) program to engage people throughout the enterprise.
If your organization has a Governance security culture, you probably have regular contact with the security team. On the one hand, you are made aware of the policies and processes that you must follow to keep enterprise information assets protected. But you are also likely to receive training and coaching designed to make you a better security decision maker generally. Security is likely less about doing what the security team says and more about learning why security is important to the organization as a whole, and how you can contribute. Everyone shares in the risk and has a role to play. Your organization may have a security champion program in place, designed to create “ambassadors” of security within every division or business unit to share the security team’s message and requirements. And when security gets tested, failure may be seen as the security team needing to instill better skills and judgment rather than people making “dumb mistakes.”
Core Values, Strengths, and Weaknesses of Governance Security Cultures
In some ways, Governance security cultures tend to be what most people think of as a “strong” security culture. They incorporate centralized control, standards and rules for good security practice that are pushed out to all, and an active and engaged workforce that is educated and aware of security risks and optimal behaviors. A key differentiator between a Governance security culture and a Process culture is the explicit inclusion of people as a critical infrastructure. The addition of trust and engagement bolsters and strengthens the overall security posture of the organization, and gives it flexibility and agility in uncertain situations. Well-resourced, active STAC programs are key to the Governance security culture; they are usually the mechanism by which process and decision making are combined.
Where Governance security cultures have a weakness is in their tendency to “navel gaze” and miss out on security drivers and developments from outside the organization. A strong Governance culture can feel like it’s firing on all cylinders, making the need for innovation or adaptation appear less necessary. Processes tend to become embedded, and people tend to become comfortable in their routines. So long as no large shocks occur, resistance may build to undertaking major change. This makes disruption a very real possibility in the event of a large-scale security breach or a sudden shift in the regulatory or market environments. When governance suddenly seems to stop working well, it can trigger a crisis of confidence within the organization, which has prided itself on managing wisely and strategically.
Where Do You Find Governance Cultures?
Governance security cultures tend to exist in large, mature organizations that have had a long time to figure out how to do things well in their industry. They usually invest substantially in their human capital through training, professional development, and career planning. While these organizations may have regulatory requirements or outside relationships with customers and partners they need to monitor, they have found that “running a tight ship” is often the best way of meeting these outside expectations. Security in such organizations has often developed in a structured, thoughtful way, reflecting the wider cultural preference for sound decision making.
Energy and Utilities – With long organizational histories and safety cultures that emphasize training and awareness, energy and utility companies often exhibit some form of Governance security culture. They balance bureaucratic structures for standardizing the business with a natural need for risk-taking and good judgment in the face of highly uncertain geographical regions and market changes.
Finance and Insurance – These organizations must plug seamlessly into a global, interoperable economic system that is highly regulated and regularly tested and audited. The result is a culture of interlocking standards for information flows and processing that demands conformity and commitment to shared rules and values. These organizations also have had centuries to develop stable, mature organizational cultures, often built around the value of people and professional decision making. When these traits combine in the context of security, Governance cultures can often develop
Large Industrials – The massive scale and global reach of large industrial firms demands good governance for long-term success. Juggling different geographical cultures and balancing multiple stakeholder needs combine with highly complex internal functions to create the need for dependable, consistent management and business acumen. This can translate into the security programs such organizations design to manage information and IT resources.