Setting Up the Project
Culture, although measurable to a certain degree, is also naturally amorphous and hard to pin down. Measuring a collective set of human interactions is never going to be as easy as measuring packet throughput in your network or the money you spent last year on vendor security products and services. So the worst thing an organization can do when embarking upon an assessment of security culture is to conduct a project that is ill considered, vaguely conceptualized, and poorly designed. Planning for the security culture diagnostic project is the most important stage, as it will determine how well everything else goes afterwards.
Defining the Project Strategy
As obvious as the goals and objectives of the security culture diagnostic project may seem at first glance, they probably aren't. And in any event, like assumptions in any model, project strategies should be laid out explicitly in advance and documented. That way everyone is on board, or at least should be, from the beginning in terms of what is hoped for and what is expected out of the project.
A key strategic consideration is which culture or cultures the project intends to measure and describe. Is the project goal to ascertain the existing security culture across the entire company? Or does the organization only want to discover the security culture for a specific group, such as the security team itself?
Most SCDS-based projects, and the linkages to the CSCF cultural quadrants they create, are going to have some sort of comparative function. The whole idea of linking security risk to cultural competition implies that more than one culture is striving for predominance. Cultural diagnostics help identify these discrepancies and conflicts and make them visible to the organization. So what is the project's comparative strategy? The culture of the security team is an obvious choice, but given that any organization may have a large number of subcultures, which are the most important for comparison? The easiest comparison to be made is that of the entire corporate culture. But there may be other cultural values that need exploring, particularly in the wake of a security incident.
A third aspect to consider is whether and how the SCDS results will be fed into a follow-on transformation project. Do you want to change particular aspects of the security culture, such as making it more process or people oriented? Or do you hope to make competing cultures more closely aligned? These decisions will drive analysis and the communication of results down the line.
These are only a few of the possibilities an organization should consider before embarking on a cultural measurement initiative. Strategy is critical. If you are running a security culture diagnostic project, you should be able to easily explain why you are doing it, how you are doing it, and what you expect to get out of doing it, all in as much detail as possible.