4 common security cultures

If you’d rather watch a 3-minute video instead of reading another email, click here to watch me talk about this from an airport

We’ve talked about culture, identity, and mental models. Today I want to introduce 4 models of security culture that have been helpful. This is a set of models from Dr. Lance Hayden, who wrote the excellent book People-Centric Security. Lance has graciously published both a diagnostic survey as well as the 4 models on his website under a Creative Commons license so you can take this and use it in your organization.

The models

I’ve drawn a quick 2x2 of the models and will briefly highlight each of them.

Across the top you see a tension between internal and external focus, this is referring to a dominant orientation toward opinions of people inside the org vs outside the org. From top to bottom there is contrast between a tight control environment and a more loose control environment.

Process culture

Beginning at the top left is the process culture, which is tight control combined with an internal focus. This is commonly found in government institutions, government agencies, where there is discipline but the way of thinking is internally focused, the organization itself determines what is right and wrong and is less concerned with what the opinions of the outside world are.

Compliance culture

Moving across to the top right a compliance culture also has tight control but an external focus. Typically this perspective thrives in a healthcare organization, where tight control is important and people look to outside regulators and standards to define right and wrong, good and bad. People care a lot about meeting those external standards, and have less room for forming a divergent internal opinion.

Autonomy culture

Moving down to the bottom right we have an autonomy culture, and that’s typically found in early-stage startups, where there is both loose control and an external focus. Very interested in customers and finding something that works for people in the outside world, but you don’t necessarily get a lot of oversight or support from the organization. It’s very much live or die on your own.

Trust culture

Finally on the bottom left you see trust culture, and that also has loose control, but is much more focused inside the organization rather than outside the organization. It’s common to see this culture inside non-profit organizations or mission-driven organizations. Collaboration and the relationships between the people inside the company matter a whole lot more than the customers outside the company.

how do I know which culture we have?

Of course I’m describing things in very general terms, things aren’t always like this in each of these organizations, but this is where you could typically expect to see each of these 4 models be the strongest.

I’d love it if you hit reply and let me know which of these 4 seems to best describe the dominant attitude in your company?

Next time I’ll take a detour to talk about a special tool you can use to measure preference for different mental models in an organization.

Want to get the latest analysis and open source tools we publish?

It's so easy for experts to put their head down and work without ever sharing lessons learned with the rest of the world. We publish all our best ideas, analysis, and latest open source tools and techniques by email every week.

    We won't send you spam. Unsubscribe at any time.

    Powered By ConvertKit