What Every Security Executive Should Know about Corporate Culture
[Editor's note: Moussa's column appears courtesy of the Wharton/ASIS Program for Security Executives, an executive education program for those who aspire to be leaders in the field of security.]
When the Department of Homeland Security was created to improve the U.S. response to terrorism after the 9/11 attacks, it was the most extensive reorganization of government in 50 years. The restructuring brought together 22 separate entities, including the FBI, CIA, Department of Justice, Department of Agriculture, Centers for Disease Control and Prevention, and National Institutes of Health.
But it was much easier, as hard as it may have been, to reorganize the organizational chart than to truly bring all the diverse cultures of these agencies together. As Ashish Nanda, an associate professor at Harvard Business School, noted in an interview in Salon (The Homeland Security merger mess), the new department faces a serious challenge from "culture clashes." He said that one of the strengths of organizations such as the CIA and FBI "has been that they have very strong distinguishing cultures. And you'll put them together and then what do you want? Do you want the whole department to have a particular shared culture? How much of a commonality will there be and how much of a difference? This will resolve not right away but over a period of time."
The Importance of Culture
Culture is sometimes seen as a "soft issue," but it has a significant impact on performance, particularly the success of new initiatives. Culture is a key reason why implementations of new initiatives often fail. A UK study in 1997 found that 33 percent of companies failed to achieve their objectives, and another study found that 50 percent of all corporate initiatives become bogged down because people stop paying attention to them.
Culture is often at the root of these implementation problems. More than half of all mergers and acquisitions posted financial returns below their industry average three years after the transaction, with the leading cause of failure attributed to cultural incompatibility. A Coopers & Lybrand study found that 62 percent of all major organizational change efforts fail to achieve their stated goals, primarily due to organizational and behavioral factors.
Culture is hardly a soft issue. Sometimes the soft issues are the hard ones.
Different Cultures
Culture is the way things are done in an organization. Webster defines it as, "The integrated pattern of human behavior that includes thought, speech, action, and artifacts and depends on man's capacity for learning and transmitting knowledge to succeeding generations." But perhaps the best way to understand culture is to look at it in action in different organizations. Consider the different cultures of the following organizations, as highlighted by William Bridges in The Character of Organizations:
* Apple-A "tent-revival" culture, people on a mission, "insanely great" products.
* Capital One-Analytic, testing-driven, data-heavy
* SAS-Family friendly, "people first," good feeling enhances creativity and productivity
* Enron-Competitive, dog-eat-dog, hyper-entrepreneurial
Think about how these very different cultures shaped very different strategies and took these organizations on different paths.
Saying, Doing, and Believing
Culture is not just what companies say but is also embodied in their actions and beliefs. (This distinction was pointed out by MIT Professor Ed Schein in the 1970s.) All three components-statements, behavior, and beliefs-are important in shaping culture.
Sometimes there are disconnects between what companies say, do, and believe. For example, Enron had a very clear set of written values that focused on communication, respect, integrity and excellence. But its underlying beliefs may have been more accurately captured by a statement on a Lucite cube on the desk of CFO Andy Fastow, which read: "When Enron says it's going to rip your face off, it will rip your face off."
What people say shows up in their mission statements and public speeches. What they do shows up in their day-to-day actions, but to find beliefs you need to go a bit deeper. One of the best ways to understand the beliefs of employees in your organization is to conduct a cultural audit. This doesn't have to be a formal exercise. It can just mean talking to people and listening to their responses. Do people feel security is important? Do they act like security is important? If people don't really believe security is important, you can make the best case in the world for your security projects, but it will fall on deaf ears.
Listening is one of the hardest skills to master for managers who are used to giving orders. But it is critical in going beyond statements to truly understand the beliefs and actions that shape culture in your organization.
Changing Culture
Culture matters most when you have to change it. Culture has been called the "residue of success." It embodies the qualities that have made the organization successful in the past. But in a changing business environment, the drivers of success in the past may not be the same as the ones needed for the future. Many new security initiatives require significant changes in how employees think about and conduct their business. How do you go about changing culture?
Simply talking to people about changes is never enough. You have to show them what change means in terms of their day-to-day behavior. There is a difference between asking employees to be more vigilant and asking them to call a tipline if they see any suspicious activity, no matter how small. You also need to put incentives in place and encourage them to act differently. Then you need to keep checking to see if they believe what they are doing is making a difference. It takes time to realign people's behavior.
This means you need a lot of patience to change culture. It is not going to happen overnight. Old habits die hard. Sometimes managers leading changes lose patience with the process. They express their frustration and then this leads to more resistance from people in the organization. The resistance, in turn, results in more frustration and you enter a "doom loop" that destroys the initiative. Patience is very important. Give people time to change.
By paying attention to culture, security executives have an opportunity to create a "security culture" where security guidelines are part of the fabric of doing business. They are not something that people think about only when there is a crisis. Security is in the backs of people's minds while they are doing their jobs. This "culture of security" can raise the level of security for the entire organization and makes the security executive much more effective in developing and implementing new initiatives.
Learn more: Business Management Skills for Security Executives
Columns and interviews with Wharton/ASIS program professors are regular features on SecurityInfoWatch.com. The Wharton/ASIS educational program is designed to superbly stimulate security improvement through educational reform by promoting better business comprehension and decision making by security executives. If you are interested in this program, please call 800-255-3932, ext. 4401, or send an email to [email protected].