Stability versus Change

Improving your Security Culture.

The Stability versus Change dimension is the fourth dimension of our Ruighaver/Maynard security culture model. While some individuals are open to change (risk-takers), other individuals have a high need for stability (risk-averse). The same is true for organizations. Risk-taking organizations are said to be innovative with a push for constant, continuous improvement. Risk-averse organizations focus on not rocking the boat. Hence, an important aspect of an organization's security culture is its tolerance for change and innovation.

Organizations that have a high requirement for security often favor stability over change. Change is often seen as bad for security, as it can result in the introduction of new risks or in the invalidation or bypass of controls to existing risks. If this aspect of security culture is inline with the general organizational culture, there will be few problems. However, when change is carefully managed such organizations will need to ensure that their security posture is not static. Security is never 100% and in todays complex environment tight centralized control over decision making can result in a lack of flexibility.

Facilitating change.

Most organizations have an organizational culture based on decentralized decision making and a tolerance of change. Often periodic cycles of change are purposefully built into the culture and processes to facilitate the introduction of new products and services. If such an organization has a culture where individual risk taking behavior within acceptable boundaries may be tolerated or even encouraged, a security culture which is restrictive is doomed to fail.

Most organizations that have a low requirements for security are tolerant to change, but they often fail to realize that the organization will still need to constantly adapt its security to the inevitable changes in the organization's environment. The organization's existing security procedures and practices will need to improve continually and this changes need to be facilitated. While organizations that have adopted a security policy life-cycle methodology will have a culture of continuous change in that area of security, this may not necessarily extend to other areas such as security strategy development and security governance processes, or even the implementation of security measures.

Finally, we found that almost all organizations were lacking in the development of new and innovative approaches to security. Most organizations just use the same old traditional security technologies and controls, often based on existing security standards that are more than a decade old. IT infrastructure has changed dramatically in the past few decades and organizations have to start taking into account that every organization is different and that new challenges in their security environment may warrant new and unconventional approaches.