Security culture is routinely described in values terms — respect, integrity, vigilance, accountability. It appears in codes of conduct, induction programmes, and annual reports. It is the subject of awareness campaigns, posters, and leadership messages. And in most organisations, the security culture described in those documents bears limited resemblance to the security culture that actually exists on the floor, in the field, and in the decisions people make when they think no one is watching.
The Difference Between Stated and Actual Culture
Actual security culture is not what an organisation says its values are. It is the set of behaviours that are normal, rewarded, and tolerated. It is what happens when someone finds a USB drive in a car park. It is whether people report near-misses or cover them up to avoid blame. It is whether a contractor who bypasses an access control procedure is corrected or ignored. It is whether senior leaders follow security protocols or treat themselves as exceptions. The gap between the stated culture and the actual culture is the most important risk measurement most organisations never take.
I have reviewed security programmes in organisations that had impressive documentation — policies, procedures, awareness training, governance frameworks — and genuinely dysfunctional security behaviour. The documentation and the reality were entirely disconnected. This is not unusual. It is, in my experience, more common than not.
Behaviour Under Pressure Is the Test
Security culture is revealed not in ordinary conditions but under pressure. When a deadline is tight, do people take shortcuts with access controls? When a senior person asks for an exception to a security procedure, does the security team hold the line? When a report is made that turns out to be a false alarm, is the reporter thanked or embarrassed? When a security incident is reported up the chain and proves to be significant, is the first instinct to understand it or to manage the reputational implications?
Pressure tests culture because it removes the convenient option of following the right procedure when it is costless. Under pressure, people revert to what the culture actually rewards and tolerates. An organisation whose security culture collapses under pressure does not have a security culture. It has a security performance — maintained only when it is easy.
The Leadership Variable
Security culture is disproportionately shaped by the behaviour of leaders, particularly senior leaders. When a Chief Executive is exempted from the visitor management process because it is inconvenient, the message sent to the entire organisation is that security procedures are for other people. When a General Manager dismisses a security concern because it interferes with an operational priority, every person who hears about it learns something about what the organisation actually values.
Conversely, when senior leaders visibly comply with security procedures, treat security incidents as learning opportunities rather than threats, and genuinely support security managers when they raise concerns — the culture shifts. Not immediately, not without sustaining effort, but measurably over time. Leadership behaviour is the primary input to culture change, and it operates in both directions. The fastest way to destroy a security culture is to have leadership visibly undermine it.
Measurement: What Good Looks Like
Organisations that are serious about security culture measure it rather than assert it. Measurement approaches include behavioural observation — are procedures actually followed in practice? — near-miss reporting rates — is the organisation learning from incidents that did not result in harm? — and security climate surveys that give people a psychologically safe way to report what they actually observe rather than what they are supposed to say.
Benchmark data matters here. A near-miss reporting rate of two incidents per hundred employees per year does not tell you much in isolation. Compared to a high-reliability industry benchmark of forty incidents per hundred employees per year, it tells you that your organisation has a significant under-reporting culture — which almost invariably means that near-misses are being normalised rather than reported, and that the precursors to serious incidents are accumulating undetected.
Organisations that have never systematically measured their security culture do not know whether their culture is a risk asset or a risk liability. Given that security culture is one of the primary determinants of whether a well-funded adversary will succeed in compromising an organisation, that is a significant gap.
Culture Change Is Long and Non-Linear
There is no quick intervention for security culture. Awareness campaigns produce short-term increases in reported awareness and minimal sustained behaviour change. Punitive enforcement without genuine culture investment produces compliance anxiety and suppresses reporting. The interventions that produce durable culture change are slow, require leadership commitment over years not months, and involve changing the incentive structures and consequence systems that shape behaviour — not just communicating better values.
That is not a comfortable message for organisations seeking a near-term solution to a culture gap. But it is an accurate one. Security culture is an investment with a long time horizon, and organisations that treat it as a campaign are consistently disappointed.
The organisations with the strongest security cultures I have observed share certain characteristics: they treat security as a professional discipline, not an administrative function; they invest in their security people and give them genuine authority; their leaders behave consistently with their stated values; and they have sustained their investment through difficult periods when the pressure was to cut rather than maintain. Culture is a lagging indicator of all the decisions an organisation has made about what it actually values.
Tony Ridley provides security culture assessment, programme review, and advisory on building and sustaining genuine security culture. Contact us to discuss your requirements.