4 common security cultures
If you’d rather watch a 3-minute video instead of reading another email, click here to watch me talk about this from an airport
We’ve talked about culture, identity, and mental models. Today I want to introduce 4 models of security culture that have been helpful. This is a set of models from Dr. Lance Hayden, who wrote the excellent book People-Centric Security. Lance has graciously published both a diagnostic survey as well as the 4 models on his website under a Creative Commons license so you can take this and use it in your organization.
I’ve drawn a quick 2x2 of the models and will briefly highlight each of them.
Across the top you see a tension between internal and external focus, this is referring to a dominant orientation toward opinions of people inside the org vs outside the org. From top to bottom there is contrast between a tight control environment and a more loose control environment.
Beginning at the top left is the process culture, which is tight control combined with an internal focus. This is commonly found in government institutions, government agencies, where there is discipline but the way of thinking is internally focused, the organization itself determines what is right and wrong and is less concerned with what the opinions of the outside world are.
Moving across to the top right a compliance culture also has tight control but an external focus. Typically this perspective thrives in a healthcare organization, where tight control is important and people look to outside regulators and standards to define right and wrong, good and bad. People care a lot about meeting those external standards, and have less room for forming a divergent internal opinion.
Moving down to the bottom right we have an autonomy culture, and that’s typically found in early-stage startups, where there is both loose control and an external focus. Very interested in customers and finding something that works for people in the outside world, but you don’t necessarily get a lot of oversight or support from the organization. It’s very much live or die on your own.
Finally on the bottom left you see trust culture, and that also has loose control, but is much more focused inside the organization rather than outside the organization. It’s common to see this culture inside non-profit organizations or mission-driven organizations. Collaboration and the relationships between the people inside the company matter a whole lot more than the customers outside the company.
how do I know which culture we have?
Of course I’m describing things in very general terms, things aren’t always like this in each of these organizations, but this is where you could typically expect to see each of these 4 models be the strongest.
I’d love it if you hit reply and let me know which of these 4 seems to best describe the dominant attitude in your company?
Next time I’ll take a detour to talk about a special tool you can use to measure preference for different mental models in an organization.