I always smile when I hear security consultants advising that organisations should create a security culture. Why? Because quite simply there is no such thing. Security means entirely different things to different people. And of course there’s more than one way to skin a cat. No single approach works best across every situation and community. People respond differently according to their religion, culture, background, location, ambitions and motives. Amongst many other things.
As Douglas Macgregor, a famous MIT social psychologist, pointed out in his classic 1960 book “The Human Side of Enterprise”, there are fundamentally different approaches to managing people. It’s all a matter of taste. Some managers favour an authoritarian management style. Others prefer a more participative approach. And in practice you can achieve effective security either by instilling fear, paranoia or suspicion into your staff, or by building on positive motivators such responsibility, trust and empowerment.
Great minds do not think alike on this subject. Galileo, for example clearly favoured an educational approach, declaring that “You cannot teach a man anything. You can only help him discover it within himself.” Other revolutionary leaders, such as Uncle Joe Stalin, preferred to wield the lash. “Trust is good, but control is better”, he was heard to say. So you have a choice. You can be nasty or nice. Which one should it be? Impossible for me to say. Because the most appropriate approach depends on you, as well as the nature of the community you’re trying to change, and its chosen management style.