Stability versus Change

Improving your Security Culture.

The Stability versus Change dimension is the fourth dimension of our Ruighaver/Maynard security culture model. While some individuals are open to change (risk-takers), other individuals have a high need for stability (risk-averse). The same is true for organisations. Risk-taking organisations are said to be innovative with a push for constant, continuous improvement. Risk-averse organisations focus on not rocking the boat. Hence, an important aspect of an organization's security culture is its tolerance for change and innovation.

Organisations that have a high requirement for security often favour stability over change. Change is often seen as bad for security, as it can result in the introduction of new risks or in the invalidation or bypass of controls to existing risks. If this aspect of security culture is inline with the general organisational culture, there will be few problems. However, when change is carefully managed such organisations will need to ensure that their security posture is not static. Security is never 100% and in todays complex environment tight centralised control over decision making can result in a lack of flexibility.

Facilitating change.

Most organisations have an organisational culture based on decentralised decision making and a tolerance of change. Often periodic cycles of change are purposefully built into the culture and processes to facilitate the introduction of new products and services. If such an organization has a culture where individual risk taking behaviour within acceptable boundaries may be tolerated or even encouraged, a security culture which is restrictive is doomed to fail.

Most organisations that have a low requirements for security are tolerant to change, but they often fail to realize that the organisation will still need to constantly adapt its security to the inevitable changes in the organisation's environment. The organisation's existing security procedures and practices will need to improve continually and this changes need to be facilitated. While organisations that have adopted a security policy lifecycle methodology will have a culture of continuous change in that area of security, this may not necessarily extend to other areas such as security strategy development and security governance processes, or even the implementation of security measures.

Finally, we found that almost all organisations were lacking in the development of new and innovative approaches to security. Most organisation just use the same old traditional security technologies and controls, often based on excisting security standards that are more than a decade old. IT infrastructure has changed dramatically in the past few decades and organisation have to start taking into account that every organisation is different and that new challenges in their security environment may warrant new and unconventional approaches.