The CSCF Quadrants
The security-specific quadrants of the CSCF are illustrated in Figure 5-5, which also shows more detail regarding the components and values inherent in each security culture type. Each of the quadrants represents a grouping of values,
Figure 5-5 The Competing Security Cultures Framework with expanded detail assumptions, and priorities that influence and shape security decisions and activities inside an organization. These security culture types include a Process Culture, a Compliance Culture, an Autonomy Culture, and a Trust Culture.
Overlapping and Competing Values
The quadrant model of the CSCF appears very orthogonal when you first look at it, with right angles creating independent cultural characteristics. This visualization tends to obscure the way that the two axes create overlapping values anchored on different perspectives on control and fields of focus. Diametrically opposed relationships like those between process and autonomy are easier to see, but there are connections and shared values throughout the four cultures as well. Figure 5-6 represents the CSCF as concentric circles that better illustrate these overlapping traits. Process and Trust Cultures, for example, may not seem to have much in common, until one realizes that they are both centrally concerned with how the organization functions internally as a coherent structure. Process and Compliance Cultures, to use another example, seem naturally congruent when thinking of information security, with their joint emphasis on control.
Figure 5-6 Circular view of the Competing Security Cultures Framework
But Compliance and Autonomy Cultures do not seem to make as much sense together, at least not until you recognize the mutual value these cultures place on addressing challenges associated with the organization's external environment, not its internal workings.