Call
Ask an Expert
Tel: +1-281-673-2800
Fax: +1-281-673-2931
Find an Office
Email
Email Us
Insight

Security Risk Culture: Fixing the 'It Can't Happen Here' Mentality

By Tom McCoig, Manager of Industrial Security Solutions, ABS Group

Security Risk Culture / Mentality

One of the most common situations across many industries regarding security risk is the belief that catastrophic security-related incidents "won't happen at our facility" or "won't happen to me." This is a concern because this mindset could indicate an embedded lack of security culture across an entire organization. Many organizations do not include an evaluation of their security culture as part of their security risk assessment process, and so by failing to perform this type of assessment may compromise their operational security risk management resources, which include time, money, efficiencies, efforts and human capital.

How does an organization first develop or enhance a security risk culture and create awareness from the tactical to the strategic levels and then implement these? One of the most effective measures an organization can implement is to assess the human factor gaps and elusive root causes and attitudes that lie hidden within their daily security processes and internal self-assessment programs.

Security Is Everyone's Responsibility

Having a mindset that works against proactive security risk management is rooted in the belief that low-probability but high-consequence security loss events "cannot happen here." Adopting the security industry statement that "Security is everyone's responsibility" only works if everyone in the organization understands the value of security and each individual takes his or her security responsibilities seriously, as a daily practice. Management must clearly communicate that the levels of security put into place are in response to the organization's perceived business risk, and security is not just a cost but also a business enabler to achieve positive business objectives.

Policy drives and sustains corporate security risk culture, which is the individual and organizational DNA that represents the tendency to want to do the right thing in the right way at the right time, even if no one is looking. Shaping security risk culture requires all members of the organization to (1) learn what security risks face the organization; and (2) understand their individual security responsibilities for the benefit of the organization's health, reputation and success. By consistently embedding this knowledge and understanding, a preconceived security mindset within an organization will gradually change and improve.

What are some attributes of a healthy security risk culture?

  • Working environment where consistent awareness of security issues exists
  • Continuous scenario-based communication and training methods
  • Knowledgeable employees who are aware of the various types of internal and external "threats of concern" to management/regulatory agencies and how those threats could escalate into various types of malevolent acts against the organization
  • Communication of security awareness topics that extends beyond regulatory requirements
  • Management that does not overlook poor security behaviors or intentional acts that disregard security protocols
  • Security assessment methods that identify security risk culture issues, potential human errors, and elusive root causes
  • Corporate and facility internal audits supported by third-party subject matter experts
  • Open and effective communication and learning environment
  • Consistent security incident and near-miss reporting system
  • Open environment for employees to discuss security concerns and share lessons learned

Improving Security Risk Culture

Cultural improvement typically takes a long time to become deeply rooted in an organization, but improvements can be seen fairly quickly if the culture change process is implemented properly. Conducting workshops at each organizational level, including contractors, is an effective way to educate, train, solicit input and engage the workforce in developing and owning the company culture improvement plan.

Factors to consider for improving your organization's security risk culture include:

  • Assessing current facility culture and focusing on strengths and weaknesses
  • Understanding potential historical root causes for culture problems
  • Soliciting ideas for improving security processes
  • Developing, implementing, and monitoring improvement plans
  • Measuring culture change by simple culture metrics or performance guidelines

Path Forward

Contributing factors to a catastrophic security incident could be (1) lack of a proactive security risk culture; (2) the mindset of "it won't happen here;" and (3) the human error element. Progressive organizations equip themselves with risk-based methods to address the underlying organizational and cultural causes of major security incident situations before they happen.

Does your organization need a security risk culture or security-related human factors assessment/ guidance? Understanding the full risk picture and the many factors involved may require you to reevaluate your organization's overall security risk culture through a third-party assessment.

ABS Group's Industrial Security Solutions team provides consulting services, training courses, third-party assessments and workshops to help you in assessing security culture and identifying root cause issues at multiple organizational levels. These services help organizations in a broad range of industries improve security operations and reliability, create cost-efficiency and enhance the quality of daily security operational work processes.

Back to top