Developing a Vigilant and Competent Security Culture
Updated: Jan 21
Culture and cultural identity are crucially important concepts in groups of people. Writers and researchers, as well as policy-makers and educators, increasingly realise that an individuals’ sense of cultural identity may be so important to them, that any attempt to encourage behavioural change without first considering potential cultural ramifications will face great difficulty. How our employees behave is a key indicator of our attitude to security. This is a crucial area as vigilant security behaviours such as demonstrating awareness of one’s surroundings or engaging with strangers will act as a deterrent to hostile actors who will see that its not just security guards and CCTV systems to be wary of, but potentially every single employee. Acting as a force multiplier, vigilant employees can identify suspicious activities and report them. The development of a vigilant and culturally competent workforce go hand in hand. Viewing culture as a sharing of patterns of thinking, feeling, reacting, and problem-solving, introducing and cultivating shared meanings and demonstrating appropriate behaviours during interactions, we can influence beliefs, values and behaviour, so that they become both accepted and expected as the norm within a group. These changes will present themselves through language, styles of communication, practices, customs, and views on roles and responsibilities. While we can communicate what we expect from our workforce as leaders, knowing that internal communities exist within our own business sometimes quite distinct from each other, it is important that we increase our cultural intelligence and become culturally competent. Developing a culturally competent workforce offers a plethora of benefits to organisations. This increased level of understanding provides business leaders with an opportunity to communicate and inform teams more effectively so as to enhance performance and encourage economic benefits, while providing security leaders with an opportunity to increase vigilance and thereby improve security and resilience levels. While cultural intelligence may be an ability to interpret someone’s behaviour in the same way other members of their own community would, cultural competence focuses on sensitivity to cross-cultural differences and the ability to adapt to other cultural environments or reflect awareness of cultural influences on one's thoughts and behaviours. It enables individuals to adopt appropriate and effective behaviour in an otherwise alien cultural environment. Developing skill in this area will help us to effectively communicate with people across cultures, thereby improving our ability to bring about positive behavioural change which increases the commitment of employees to developing an understanding of the part they play in a protection system. We are fundamentally looking to positively influence people so as to encourage them to care about each other, about the assets they have access to and about the business they represent. Culturally competent practice can result in positive outcomes for service customers, particularly in areas such as security, where cultural competence can improve our ability to understand every aspect of someone’s concerns, thereby enabling us to propose interventions and security solutions that are more likely to succeed. Ways to develop culturally competent practice:
Spend some time getting to know a business area and the business customer, do not rush meetings, consults and risk management interventions.
Be continually aware of the business values you have signed up to.
Be self-aware – remember your personal cultural values and beliefs.
Remember the business customer is the expert of their experience. Adopt a position of ‘not knowing’ and be eager to learn from them.
Reflect on the power of verbal and non-verbal communication. Both have the potential to empower, but can also leave a person wounded.
Do not make assumptions about a business customer based upon your own perceptions and bias.
Resist tokenism or simple ‘box ticking’ as a means of evidencing your cultural competence.
Be flexible by demonstrating acceptance of ambiguity.
Practice openness by demonstrating acceptance of difference.
Demonstrate humility through suspension of judgment and the ability to learn.
Be sensitive to others by appreciating cultural differences. Remember that there is resilience in diversity.
Practice positive change or action by demonstrating a successful interaction with the identified culture.
Encouraging Vigilance Through improving the ability to relate to different cultures and subgroups within a business, we become empowered to increase the understanding of staff about the threats we face from diverse perpetrators and the role they can each play in keeping each other, our assets and our business safe.
As a result we should observe:
Increased levels of security mindedness.
Increased suspicious activity and incident reporting.
An engaged workforce capable of taking on board additional personnel security advice.
Greater security mindedness is needed across a workforce in order to identify and counter the huge range and scale of threats that we face today. A pro-active approach aims to reduce the risks we face through reducing the vulnerabilities of our business assets and the business partners that have direct access to them.
Staff vigilance: a powerful deterrent Getting a workforce to behave with security mindedness, to be vigilant and to report suspicious activity can increase the chance of detection as well as deter those with hostile intentions, who may be watching us. Utilising a workforce as additional eyes and ears can provide a massive enhancement to existing protective security systems. A workforce that is observed to pay attention to their surroundings can discourage hostiles undertaking reconnaissance to obtain information vital for attack planning. Just by increasing the level of understanding within a workforce of the behaviours expected around offices and locations, we can encourage employees to be aware and on the lookout for suspicious activities. In addition, we may wish to increase the level of awareness within employees about their own security and the measures they should take to reduce the risk of being targeted because of their roles within a business. In order to increase and embed security mindedness we can adopt the five ‘E’s’, outlined by the UK's Centre for the Protection of National Infrastructure.
1. Education Our employees need to know why we need them to remain vigilant and what is expected of them. We need to educate them on the threat.
Motivation is fundamental to behaviour change. Unless employees understand the threats we face, they will not be inclined to change how they act. Educating staff about the nature of the threats, their potential impact and the role we can all play in countering them is therefore critical. In order to support the justification of our security solutions and to inform employees about the importance of practising security mindedness, employees need to be made aware of the fact that the threat is real. It is crucial that they understand that a security incident can occur at any place, at any time and that they themselves may find themselves at the centre of events. By educating employees about their responsibilities and the security measures that we have in place, they can feel reassured that we are keeping them, our assets and our sites safe. In addition to articles and interactive training, we may consider taking employees on tours of security operating rooms or organising meetings with security professionals. We can additionally communicate with employees on an Intranet site, through newsletters and staff briefings. Recognising the need to be culturally competent, it is important that we choose a communication medium best suited to the business area we are supporting.
There are some fundamentals that we can inform employees of.
Behaviours that encourage hostiles • Smoking just outside the building • Colleagues leaving together and generally not paying attention to their surroundings • Always taking the same route to work • Wearing headphones when entering/leaving the building • On a mobile phone outside the building
Behaviours that discourage hostiles
• Staff paying attention to their surroundings and being generally vigilant as they enter or leave buildings • Staff willing to engage where appropriate (“Can I help you?”) • Visible posters which encourage staff vigilance • Vigilant Security staff who are quick and efficient when reacting to an incident
‘Sloppy’ personal security behaviours can make employees vulnerable by revealing a lot about their ‘pattern of life
'Vigilant' staff are one of the most off-putting factors for someone up to no good; it makes them think they are being watched, and that they are likely to be detected and intercepted. 2. Endorsement To support efforts to be culturally competent, endorsement from the right people will help to ensure that messages about threats, mitigations and appropriate security behaviours resonate with employees. A successful campaign relies on having significant others from inside of an organisation (or outside where appropriate) to tell our employees that their vigilance and reporting are important. It’s important to recognise that different audiences might need endorsement from different people. For example, if we encounter a significant, cynical group of staff then we may consider that endorsement is best coming from a credible external expert. For new, keen staff attending their induction course, the message may be best delivered by the head of security. Regardless, the message should be endorsed from the top – through written communications and staff announcements. 3. Ease If we want staff to practice vigilance and security mindedness, then we have to make them easy to adopt. This means providing simple steps the employees can take to improve their personal security behaviours and ensuring that they know what to look for and how to report suspicious behaviours. Please see below simple guidelines for improvement. • How to give an appearance of vigilance. An alert and engaging workforce will provide an appearance of systemic vigilance to hostile actors. For example, having paid attention to an environment and noticed something or someone that is appears out of place, an employee may enquire “can I help you?”, which in addition to being aligned with our supportive culture, can ensure to provide an impression to hostile actors that the risk of being challenged is high.
• What to look out for.
Suspicious activities can include:
Loitering around on a restricted area.
People taking photographs of staff or security features of the building. Someone taking an interest in staff/vehicle movements. Inappropriate approaches to any employee. Someone being followed. Packages/bags being left unattended. Suspicious vehicle activity in close proximity to your site. Anything you feel isn’t right. 4. Enforcement
Behaviour change cannot rely on education alone; staff are human and bad behaviours can all too easily become the norm without recognised consequences for lapses or breaches in security. ‘Deterrents’ are fundamental to building awareness and part of a multi-layered approach. The central premise is that staff will have a ‘relaxed attitude’ to their personal security if detection measures are, or are believed to be, weak or non-existent and so it is crucial that we all understand the consequences of breaches if we are all going to take this responsibility seriously.
We should be encouraged and supported to speak directly with individuals who are conveying the wrong behaviours. This can range from ‘soft’ interventions such as questioning someone who’s not displaying their pass, to ‘hard’ measures such as escalating your concerns to security. Rather than feel like you are causing any trouble in reporting behaviours, you are in fact showing that you care, for each other and your business.
It is important that we determine that a campaign is working, to build upon successes and improve future communications. In order to assess the impacts of a security culture, its important that we determine a baseline of staff vigilance and reporting levels. After this we can measure:
• Attitudes towards security including awareness of threat and risk.
• Current security behaviour.
– Personal security.
– Vigilance levels.
– Propensity to report.
– Personal security practice: when online, and when entering and leaving your premises.
• Awareness of security campaigns and communications.
• Message take-out from such campaigns and communications.
• Expected future behaviour.
– Likelihood to report.
– Greater alertness to suspicious behaviour.
– Personal security practice: when online, and when entering and leaving your premises.
A number of research methods can be used to measure the success of campaigns from online surveys to staff interviews and focus groups. It is important that results of staff surveys are triangulated with other data such as reports of suspicious behaviour (calls to the dedicated line etc.) and hostile reconnaissance. Also, interview colleagues in the organisation and members of your security team to find out their perspective.
Evaluation will help us to plan future interventions and will help to ensure that business leadership continue to buy in to future campaigns.