#5MinSecrityRead: “What we need is culture change”. Really?

• by Ellie Hurst
• Advent IM Blog

A valuable exploration of our actual understanding and commitment to culture change, and as with so many things, definitions are vital or we stray into important concepts becoming buzzwords…

Over to Derek Willins, Head of Client Development.

“What we need is culture change”. Really?

Every week I hear or see the phrase, “we need a culture change”. A data driven culture, or an innovation culture, or a security culture.  You name it, we want it, and we want it now.

It seems to me that the ‘culture-change’ plea, appears when the particular behaviour changes desired, are apparently not high enough on an organisation’s agenda. Getting change up the agenda is usually too hard, so ‘culture-change’ has become a generic cry and in practice, nothing changes. Changing a culture is one of the hardest things any organisation can do.

The truth is, business and technical change is happening fast, and we need everybody to be all things at once. This can and does result in sub-cultures (silos), which create new opportunities for internal conflict and inaction. Stress, burn out and growing mental health issues are all related to an inability to manage fast change. A logical conclusion then, is we need is a culture that is fluid and quick to adapt and relish change. Let’s be realistic, it may exist somewhere, but not in this country.

I think we need to revisit the problem. We need to re-phrase it. The questions should be; how do we get to where we want to be, how can data help us be more innovative, or how does better information security make us more productive?  Creating action plans to enable behaviours based on questions like this, if done well, will create the culture you need. In other words, culture becomes whatever it needs to be; driven by the behaviour changes in the action plans. The good news is when behaviour changes, attitudes follow; ask any psychologist about the Consistency Principle, and how it makes people align their behaviour and attitude. Thinking one thing and doing something contrary is just too uncomfortable.

So, how can better Information Security improve productivity? Imagine having one set of accurate data that’s correctly and constantly updated and available to all those who need it. Can you imagine all data and information is classified and appropriately protected, so it can be shared confidently with trading partners to harness the right minds on opportunities? For many organisations this is a fantasy, but those doing this now, are going to be the winners over the next 10 years.

In summary – culture will change itself, if the right behaviours are delivering on the organisation’s objectives. We need to ask the right questions first. A good starting place is how do we use the information we have to save money, drive sales, or be more innovative. Good Data Governance, an effective Information Security Management System, plus Data Protection policies, are ultimately the foundations of all successful information driven action plans and decision making.  Advent IM know this from experience.

Derek.