BUILDING SECURITY CULTURE

Individual behaviour and perception of a threat are critical when it comes to minimising a risk. In an organisation, employees are an important defence against unintended incidents, as they are closest to 'reality', and where things happen when things go wrong.
How we handle and respond to an incident depends on what we have learned and experienced in the past and how the threat is dealt with in our organisation.
If you want to implement more secure behaviour among employees, a number of actions are important to consider.

As an important first step in building a sound security culture, it is crucial to get management on board so they can lead by example. This helps to signal that security is a priority in the organisation, both to employees internally and also to stakeholders and customers externally.

In other words, management support for a robust security culture can help position the organisation as a place that cares about the safety and security of its employees and prevents harm to the business.

In some organisations, it can be difficult for the security officer to convince management that security is a good investment. Here, it can sometimes be a struggle to implement new protective security measures because management, so to speak, cannot see the value creation of investing in security.

In these cases, it is about understanding management's level of maturity in relation to security. It is crucial to have the patience to achieve a mature management understanding that security can be good for business.

In order to continuously develop and work with security, it is a good idea to have a fixed policy for what security work should do for the company's overall objective. Depending on the type and size of the organisation, security can be addressed at strategic, tactical and operational levels. The security strategy or policy should be formulated in collaboration with management so that they are included in the security framework. In addition, the involvement of management in the formulation of a security policy, e.g. could ensure a common thread through the company core values.

For instance, you could formulate a security policy that describes how all employees should feel secure and safe in their everyday work through participation and open communication. By formulating something so general, you leave room for constant development of the security work and still holding management accountable, should circumstances change.

Once a security policy has been drawn up, e.g. you can start to draw up procedures for ways you want security to manifest itself in the everyday lives of your employees. It may be a good idea to consult relevant staff to ensure procedures do not conflict with standard working practices. This could be, for instance, the health and safety representative who is already involved in employee well-being and work processes.

Security procedures are intended to assist in the handling of security issues. This could be related to access control, reporting accidents at work and activation of the organisation's emergency response. A good general guideline for security procedures is that they should make sense and not require too much effort for those who have to comply with them.

Depending on the maturity of the management, in some cases the safety officer will also be responsible for ensuring the involvement and participation of the employees in the security work. One way to do this is to put security on the agenda of departmental meetings or to hold safety-focused meetings where, e.g., near misses and suggestions for optimising workflows can be discussed. In large organisations it can be beneficial to have a local security ambassador who can act as a link to the security officer and clarify any doubts that may be on the minds of individual employees.

By involving all employees in the security work and decision-making processes around security, you can achieve relevant security procedures that will always be up-to-date and realistic to comply with. Another benefit of involvement is that individuals feel ownership and are thus inclined to take greater responsibility for the security culture.

Making mistakes is seen by many as taboo or embarrassing, and in some organisations there is a strict zero defect culture, where making mistakes is not seen as acceptable by neither management nor colleagues. This can result in employees in an organisation keeping mistakes to themselves and forgetting that their experiences can benefit the surrounding environment - and themselves - in future development.
Failure to evaluate and learn from past incidents and staff mistakes may lead to incidents that could otherwise have been avoided because, in this way, you would be able to prevent or deal with potential incidents.

As a security manager in an organisation, you should therefore encourage a non-threatening culture, where mistakes and past incidents are seen as learning moments, providing space for constructive debate to improve the overall security culture. This can be done, e.g., by having an open dialogue about challenges in everyday life and by continuously evaluating work processes.

When preventing an incident, it is important to understand the cultural framework we are set to work within. This includes how we perceive and understand risks, but also what words we use to describe and discuss them.

Communication is vital in an organisation's security culture, as it is crucial for employees' perception of overall safety and individual risks. Because communication affects perceptions among employees, it can also significantly influence how we respond to a potential incident. If communication in the organisation encourages employees to be open and take responsibility for risks and vulnerabilities, this is also likely to be reflected in the prevailing learning culture.

Therefore, a key element in building a good security culture is to provide those who may be exposed to an incident with the knowledge and the tools to make the right decisions in a critical situation. This ensures that they have the opportunity to consider the threat and form an opinion that is reflected in their behaviour.

Risk communication is about communicating complex knowledge to the outside world to help ensure a particular type of behaviour among a group of people. E.g., you may want to tell employees in an organisation why the threat level of terrorism to the organisation has changed and that they should therefore behave differently.

To achieve behaviour change it is always a good idea to talk from the point of view of ensuring the well-being of employees – it gives the individual a better understanding of why they need to change or adopt a particular behaviour.

The best way to ensure that staff are as prepared as possible to respond appropriately, should a critical incident occur, is to give them ongoing feedback on their work. This is done in order to strengthen the security culture through secure behaviour and awareness of vulnerabilities in the organisation. This can be done by evaluating security incidents at an everyday level and discussing what can be done to manage and minimise the impact of future incidents.

On a practical level, it would be useful to introduce safety and security as  fixed agenda items on weekly meetings and to provide regular recurrent training for staff in, e.g. awareness, basic fire-fighting and first aid.