Creating a security culture

Everyone in the organisation contributes to its security culture

PER005

Everyone in the organisation contributes to its security culture. Organisational culture has a direct impact on security. Even with the best security processes and tools your organisation will still be at risk if people have a poor attitude toward security.

The following steps will help to create a positive and sustainable security culture and reduce the personnel security risks facing your organisation.

Get commitment from the top

The chief executive and senior team must be committed to effective security practices and procedures. Building an effective personnel security culture means getting everyone on board. Responsibilities for personnel security extend throughout your organisation and your chief executive holds overall responsibility for protective security.

Your chief security officer is responsible for protective security policy, oversight of protective security practices and evaluation activities that inform ongoing improvements.

Build security awareness

People are much more likely to engage in your security culture if they understand the credible security risks that face your organisation. Increased awareness will help people understand that they have important security responsibilities and know what those responsibilities are.

Publish clear communications about security

Everyone needs access to clear policies and procedures that:

  • explain the reasons for your organisation’s security instructions
  • outline legal, regulatory and compliance requirements
  • ensure people understand their responsibilities.

Support staff wellbeing

Provide people with access to support, such as a confidential employee assistance programme. Encourage them to report and deal with personal issues before they become a serious problem.

Manage concerning behaviour

Managers need tools and policies to identify, support, and manage people who display concerning behaviour to do with security, poor performance, or unacceptable conduct.

Avoid a blame culture

People who raise legitimate security concerns should be encouraged and seen as good corporate citizens rather than troublemakers.

Reporting emerging concerns or near misses should be treated as a way of helping colleagues who might be at risk, rather than getting them into trouble.