Security Risk Culture: Fixing the 'It Can't Happen Here' Mentality
By Tom McCoig, Manager of Industrial Security Solutions, ABS Group
One of the most common situations across many industries regarding security risk is the belief that catastrophic security-related incidents "won't happen at our facility" or "won't happen to me." This is a concern because this mindset could indicate an embedded lack of security culture across an entire organization. Many organizations do not include an evaluation of their security culture as part of their security risk assessment process, and so by failing to perform this type of assessment may compromise their operational security risk management resources, which include time, money, efficiencies, efforts and human capital.
How does an organization first develop or enhance a security risk culture and create awareness from the tactical to the strategic levels and then implement these? One of the most effective measures an organization can implement is to assess the human factor gaps and elusive root causes and attitudes that lie hidden within their daily security processes and internal self-assessment programs.
Improving Security Risk Culture
Cultural improvement typically takes a long time to become deeply rooted in an organization, but improvements can be seen fairly quickly if the culture change process is implemented properly. Conducting workshops at each organizational level, including contractors, is an effective way to educate, train, solicit input and engage the workforce in developing and owning the company culture improvement plan.
Factors to consider for improving your organization's security risk culture include:
- Assessing current facility culture and focusing on strengths and weaknesses
- Understanding potential historical root causes for culture problems
- Soliciting ideas for improving security processes
- Developing, implementing, and monitoring improvement plans
- Measuring culture change by simple culture metrics or performance guidelines
Contributing factors to a catastrophic security incident could be (1) lack of a proactive security risk culture; (2) the mindset of "it won't happen here;" and (3) the human error element. Progressive organizations equip themselves with risk-based methods to address the underlying organizational and cultural causes of major security incident situations before they happen.
Does your organization need a security risk culture or security-related human factors assessment/ guidance? Understanding the full risk picture and the many factors involved may require you to reevaluate your organization's overall security risk culture through a third-party assessment.
ABS Group's Industrial Security Solutions team provides consulting services, training courses, third-party assessments and workshops to help you in assessing security culture and identifying root cause issues at multiple organizational levels. These services help organizations in a broad range of industries improve security operations and reliability, create cost-efficiency and enhance the quality of daily security operational work processes.