Security experts often say some form of the following: “security is everyone’s job.”
This is absolutely true. It’s crucial that everyone in an organization understands the importance of security — if a stranger is in the building without a badge, everyone should know to challenge them, for example. Social Engineering has been a hot topic for emerging security professionals, but all of us realize, the weakest link is often a human.
However, making everyone understand that security isn’t just the job of the security team is often easier said than done. It’s tempting for employees to ignore security issues for the sake of convenience or just because they don’t believe it’s their job or because they become complacent. So how can you ensure that everyone at your organization thinks about safety and security, no matter their job description?
Read on for several pointers that will help you start the new year right by building security into the culture of your organization.
Need help with your security culture? Contact us now for a demo.
How can you make security part of your culture?
Remember: security is a part of the bottom line: When your leadership team meets to discuss quarterly goals, they’re usually focused on revenue. If security is discussed in these budget meetings at all, chances are, it’s seen as an expense. That’s not the whole picture, however. Security may not bring in revenue, but it’s critical when it comes to profit. Security’s job is to retain your profits by preventing loss: shrinkage, catastrophic events, and lawsuits all cut into profit, so security minimizes those losses. Once leadership understands that, security will become more important to them.
Risk culture starts at the top: You can’t ask workers to accept risk and security as part of their jobs if the CEO is walking around your sites without a badge, or if board members are allowed to bring unsecured devices into a building where only secured devices are allowed. The rules must apply equally to everybody.
The head of security must have the ear of the C-suite: If there’s an incident, how long does it take for the head of security to get in touch with the CEO? How many layers of oversight are there between security and the C-suite? If safety is truly everyone’s job, the head of security should have leadership’s ear.
Security needs a budget: If security is a priority — and if you want them to be seen as important by your employees — your security department needs a budget so they’re able to do their jobs effectively. In the long run, a healthy security budget is likely to save your organization money, both in retained profits and in having jobs done right the first time because they weren’t done with cheap tools or under qualified personnel.
Communicate clearly: Are policies changing? Make sure everyone knows. Was there an incident? Make sure you control the message. If employees aren’t hearing about security regularly, they may conclude that it doesn’t matter to leadership, and — consequently — to them.
Hire the right security personnel: You want your workers to be confident in the security guards you hire, and you want them to both feel and be safe with those guards. This means finding the right personnel; not just doing standard background checks and calling listed references, but being sure that you’re not hiring someone who is in security just because they enjoy having power over other people or because they’re adrenaline junkies. A guard like that won’t make good judgment calls; they may actually put themselves in harm’s way to feel a rush. Look for officers who are educated, adaptable, willing to make decisions, diverse, capable, and respectful of other people. They should be able to make quality decisions and they should be coachable. If you can’t find those candidates at the pay level you’re offering, consider robotic guard options, like Robotic Assisted Devices (RADs).
Be consistent: Create processes that must be followed; even if it seems tedious. For example, if an employee has left their badge at home, they should have to follow a specific process every time: go to security, get a temporary badge, even if they know the officer at the door, and feel like they could be let in without the inconvenience of being late for work. Such rules are in place for a reason; maybe the person was fired yesterday and the officer doesn’t know yet. This is another reason robotic devices work well. People are often afraid to say no, but robots always follow the rules.
Make security part of onboarding: Security is often left out of training, but when new employees are hired, they should learn about security protocols and procedures as well as other important information they’ll need to know about their jobs.
Make it easy to report security issues: If you’re asking workers to report security problems, it should be simple for them to make a report. If it’s too difficult, many employees will skip it.
Always keep improving: You can’t just “set” your security and forget it. Security policies and procedures should be revisited regularly to keep them fresh, relevant, and improve any weak areas. If there’s an incident, revisit it to see where your security can be tightened or improved.
How can you get your company to be proactive about risk?
Above are just a few ways you can change your company’s risk culture. For a more comprehensive understanding of what risk culture is and how it can be changed, read the CSO Risk Council's white paper on risk, security, and your company’s cultural approach to risk.
Interested in learning about our Security Officer Optimization Assessments? Talk to us now about assessing your security.