Sam Curry, CISO at Cybereason, explains why company culture is not to blame for leadership issues, and how to create a better work climate. 

Culture is a word that conjures many things: ancient history, sweeping architecture, exotic customs, esoteric linguistics and deep, bitter conflict.  However, it is far too often used to explain communications problems, management issues or operational problems in either a flippant way or as an excuse for inaction and failure.

The root cause for such issues is almost never culture but is rather the result of not utilising data, looking for the real problems or addressing what can be addressed in a corporate setting. This is true when we look at the lack of alignment of the rank-and-file and of the leadership between security departments and the rest of the company. Nowhere is this more evident than in the most isolated of departments: the security operations centre. The seeming impossibility of climbing the security operations cultural mountain, let alone bridging it with other departments’ mountains, can, in fact, be made far simpler and more tractable than most of us know, and it starts with a deeper dive into culture.

Where the real problem lies

We live in an age where cultural faux pas leads to pain and angst and, in some cases, fear and a hostile work environment. We blame the obvious, falling back on ethnic differences or lack of understanding based on other obvious difference like religion or language or gender and so on, when really the problem isn’t cultural at all. Let’s start with an assertion that people’s identity should be explored and respected and diversity should be encouraged but that communications, management and leadership problems are most often nothing to do with these and need deeper treatment. 

We think problems are related to the fact that one office is American while the other is European because that is easy, but the real reasons the team isn’t working together are because they don’t associate with one another or have the same understanding of where authority comes from. What we care about isn’t ethnic culture here, it’s organisational culture or corporate culture. For this, I like to use Schneider’s Culture Model, which really looks at the source of authority and the values of workers regardless of their ethnic culture. In the corporate world there are four types of culture, each with its basic model and source of authority:

  • Control — based on military organisational values where authority comes from hierarchy
  • Competence — based on academic values where authority comes from subject matter expertise
  • Cultivation — based on religious values where authority comes from achieving potential
  • Collaboration — based on family values where authority comes from consensus

What sort of culture are you in? Is it frustrating or confusing to get things done? Could it be that you aren’t aligned with the corporate culture and knowing which one your company or department exhibits is a great place to look to understand what’s happening around you? Take a moment to re-read those briefly and ask yourself “which is my company?” and “which is my department?”

More often than not, the security department will have a competence culture. What we do is special and not understood by others. It is hard and requires dedication, and there are right and wrong answers. We want to find the right answer, and we’re fighters in security. We don’t roll over and show our belly to hackers. But what’s the culture of the rest of the company? Do they see things the same way? Are you in a different security culture based on one of the other models? While less common, they all exist in our domain.

Almost every new manager will either hear from someone that they “need to change the culture” of the department they are inheriting or will boldly state “I am going to change the culture.” However, culture is a mountain because even the best manager’s and leaders can’t change culture without a tabula rasa approach. Fire everyone and start over? That will work. But short of that, you have the culture you have, and you can do exactly two things once you know what you have.

How to fix broken company culture

First, you can drive communication skills and self-awareness and get good at understanding culture. This can be tackled head on without a desire to change it, but instead a desire to translate between cultures. If the broader culture matches the security department’s culture, a common language can be found. If not, a translator can be built; and this should be the job of the forward leaning managers or leaders in the department. Incidentally, this is what HR is supposed to help with whether they know that or not.

Second, you can affect climate quite dramatically. All cultures recognise productivity culture and can develop respect among departments. Climate is easily influenced according to: standards, accountability, rewards, esprit de corps and clarity of purpose. Every corporate culture can be effective, can respect a healthy and positive climate and can learn to work with other corporate cultures if the climate is good. This has the added benefit of making it more fun and exciting and motivating to come to work.

Sir Edmund Hillary famously has been quoted and paraphrased as saying that mountains should be climbed “because they are there”. In fact, we should appreciate the cultural mountains around us in the corporate world and move on to the vastly more interesting management and leadership challenges of figuring out how to get things done instead.