Measuring Risk Culture: Company Culture and Security Go Hand In Hand


Organizations set security goals for their departments. One way that they can measure if the departments are reaching those goals is by setting KPIs. KPIs can count the number of employees that have completed their online employee training modules or count the number of systems that keep their patches up to date. This helps organizations quickly measure the work that has been done and the work that still needs to be done in the organization to ensure security. If a KPI indicates one employee still needs to do their employee training for compliance regulations, HR might send the employee a message to remind them to do their employee training modules as it is a part of the companies compliance requirements. If one system shows a need to have updates, the organization may schedule an engineer to complete the work to ensure a secure system. These alerts guide organizations in managing the control environment of large systems to monitor their security culture over time when their focus may be in other areas. Automation can help organizations complete updates and receive alerts that employees might miss while they are focused on other work-related tasks. 

Investigations of incidents and employee reviews can also provide insight into the security culture of an organization. When trying to measure the risk culture, the attitude of leadership and employees greatly affects the ability to measure the risk culture. Qualitative data often provides an opportunity for leadership to misinterpret the security culture to protect the reputation of their department. In an organization that prioritizes continuous improvement, feedback would provide an opportunity to improve. KPIs would be invited because they would facilitate more work for employees to create jobs, improve the security posture of the organization, and maintain good faith behavior with the public. 

The attitude of leadership often trickles down into the policies and the procedures of the organization. Organizations that value their employees will have a “let’s work together to prioritize security” approach, while organizations that value quick contracts and maintaining their bottom line will often forgo security for the factory model that keeps them rich. This behavior in the long run reduces employee happiness, ruins company culture, and forces organizations to recover from harmful breaches when their poor leadership finally causes great harm to the public.

Deloitte’s Risk Culture Framework can provide guidance into different areas to consider when addressing risk culture. This assessment can guide organizations in slowly making small changes according to a roadmap that provides a strong impact over time. Small incentives for employees, for example, can create a large effect on the organization. Talking about security and ethical responsibility in work meetings only takes a minimal paragraph, but the effect over time structures the focus of the employee body. Risk reporting metrics can go a long way in providing small prompts to improve leadership overtime and set an overall mindset for improving the security posture of the organization.





References

Deloitte. (2024). Cultivating a Risk Intelligent Culture Understand, measure, strengthen, and 

 

                    report. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/

 

                    center-for-corporate-governance/us-ccg-cultivating-a-risk-intelligent-culture-050212.pdf

 

Donovan, L. (2023, June 2). What metrics are organizations using to measure risk culture?. 

 

                    Risk Leadership Network. https://www.riskleadershipnetwork.com/insights/

 

                    what-metrics-are-organisations-using-to-measure-risk-culture

 

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more