Why Information Flow Determines the Strength of Your Security Culture

Every security culture lives or dies on the free flow of information up and down the chain of command.  Frontline employees see threats before leaders do.  Leaders see patterns frontline employees cannot.  When that two-way communication breaks, people get hurt, organizations lose money, and careers end.  This is why hospitals conduct a surgical "time out" before every procedure, and why the failure of this culture at NASA in 1986 may have cost seven astronauts their lives.

What Is a Surgical Time Out?

A surgical time out is a brief team briefing before a procedure begins, where the lead physician states the patient's identity, the procedure, and invites any member of the team to raise concerns.  It is a formal pause, explicitly designed to empower every member of the surgical team, regardless of rank, to speak up.

I remember laying on an operating room table with a sheet over my head.  I was awake because the procedure I was having did not require anesthesia.  It had been a stressful past few years for me at the time.  A fainting episode led me to having a loop recorder implanted in my chest for three years, right above my ribcage over my heart.  It was there to monitor my heart rhythm to see if that is what caused my fainting episode.  Luckily it had not picked up anything abnormal, and I never had another fainting incident, so it was time to get it out.

Before my cardiologist began the procedure, the surgical team gathered around her, and she explained who I was and what the procedure was going to entail.  Then she asked if anyone on the team had any questions or concerns.  She also explained if at any point anyone had any concerns, they could stop the procedure until their concerns were dispelled.  It was touching.  It was a mixture of professionalism and compassion I have rarely seen in my life.

I later found out what took place was something called a team briefing and a "surgical time out".  It is an explicit reminder to everyone what the procedure is and to speak out if anyone sees any potential issues, regardless of where they are on the totem pole.  This culture is something that I remind organizations all of the time.

Everyone at every level should feel empowered to speak up if they see a safety concern. Everyone at every level should be allowed to activate emergency procedures.

What Happens When Information Does Not Flow?

When information does not flow up and down the chain, people can die.  One of the most studied examples of this in modern history is the Space Shuttle Challenger disaster.  On January 28, 1986, Challenger broke apart 73 seconds after launch, killing all seven crew members.  The Rogers Commission, convened to investigate the accident, found that engineers at Morton Thiokol had raised serious concerns the night before the launch about the O-rings failing in cold weather.  Those concerns never made it past the Level III Flight Readiness Review.  The decision-makers with the authority to delay the launch never heard the warning.

The cost of that communication failure was seven lives, a three-year grounding of the shuttle fleet, and a major hit to the public's confidence in the American space program.

This lesson has been written many times with the blood, money, and careers of a multitude of people.  Challenger is one of the most famous examples.

Who Plays a Role in Organizational Security?

Everyone plays a role in organizational security, regardless of position, pay grade, or job description.  If you are a leader in your organization, it might make you cringe a little on the inside thinking that your lowest level employee should have the power to activate your security procedures.  That reaction is understandable.  But if you are the leader of a large organization, can your leaders be everywhere all the time monitoring the security of your organization?  Possibly if you hired enough security personnel.  Even if you did, the "soldiers in the trenches" of your business know how people actually engage with your product or service.  They see it every day.  They know what corners are cut, what people actually do, what systems work.  They will almost always see an issue before anyone on the leadership team sees it.  Empowering them to speak up and do something can be found across disciplines.  I have seen in some workplace cultures the "I just work here, I'm not important to security" attitude.  This attitude can be deadly.  Everyone at every level plays a role in security.  The CEO might not prop open the backdoor, but the contract janitor might.

The inverse is true.  The head of the organization sees things the frontline personnel do not.  That is why it is vitally important to build an organization wide culture of the free flow of information up and down the "chain of command".

Besides pointing out security flaws, people at different levels may offer improvements to your services or products.  This empowerment of employees is a key feature of the Toyota Manufacturing Process, another side interest of mine.  Every employee at a Toyota manufacturing plant is encouraged to find small improvements to their workflow.

Decades of human factors research, much of it conducted by NASA in the aftermath of Challenger and similar failures, confirms that open lines of communication between every level of an organization are essential to safety and performance.

Who Should Be in Charge of Security?

One person, or one clearly defined team, should own security for your organization.  If everyone is in charge, no one is.  Accountability collapses the moment it is spread evenly across a workforce.

Empowering every employee to raise concerns is not the same as putting every employee in charge.  Someone needs to own the security plan, make the final calls, coordinate with law enforcement and emergency services, train staff, review incidents, and update procedures.  That responsibility cannot float.  It belongs to a named person or a defined role.

What I am advocating for is a culture where the person in charge of security has every set of eyes in the organization feeding them information.  Decisions about the procedures and policy stay at the top, but awareness and activation live everywhere.

Why Must Employees Understand the Reason Behind Security Procedures?

Employees follow security procedures more consistently when they understand why those procedures exist.  The more a person understands the reason why "tailgating" at the door should never be allowed or why every visitor should be required to check in at the front desk, the more likely they are to comply with the rules.  Providing real world examples where people did not follow the rules resulting in negative consequences reinforces the importance of compliance.

How Should Leaders Respond When an Employee Tells Them They Are Wrong?

Leaders should respond to employee security concerns with humility, curiosity, and public recognition.

Being told you are doing something wrong can hurt your ego if not handled properly.  Do not take it personally if a low-level staff member finds a flaw in your security.  Do the opposite. Embrace it.  Publicly praise them, maybe even reward them.  The idea that you might be wrong is a hard pill to swallow for some people.  Unless you are a one-man-band, collaboration amongst team members is very important to your organization's security.

What Happens When Concerns Are Raised but Never Acted On?

When concerns are raised and never acted on, employees stop raising them.  If you foster a workplace of collaboration and openness between everyone but then file their complaints in the “round folder” under your desk, you are doing openness and collaboration wrong.  Respond to all security concerns.  It does not mean you do what they say, but it does mean you acknowledge it, seek to understand the issue presented, and then explain the actions taken to the employee.  If your organization feels like their concerns are not taken seriously, they will stop lodging them to their leaders.

There are countless examples of "low level" employees finding flaws or issues that could have caused serious loss of life or money.  There are also countless examples of those same employees finding those flaws and then not saying anything, resulting in the loss of money, and sometimes their own life.  The free flow of information throughout an organization is not a cure all for security issues, but it is one of the most reliable indicators of the health of an organization's security culture.

What Does a Healthy Security Culture Look Like?

The principles are simple.  One person or group should oversee security but everyone should be empowered to raise concerns and activate the organization’s emergency procedures.   Everyone should understand why the rules exist and everyone should feel heard when they speak up.  Organizations that build this culture become safer.  They also become better places to work, because when people feel in control of their own safety and security, the entire work environment improves.

How Does CPR Help Organizations Build This Culture?

At Crisis Prevention and Response, we help organizations build security cultures where information moves freely up and down the chain, where frontline employees are empowered to raise concerns, and where leaders are trained to listen and act.  CPR is a Florida-based security consulting and training firm co-founded by two active law enforcement officers.  Our philosophy is simple.  We only sell knowledge.  No hardware, no systems, no commissions.  Just the information your people need to make better decisions before, during, and after a crisis.

If you are ready to build a stronger security culture in your organization, reach out here.

Daniel Holland is the co-founder of Crisis Prevention and Response (CPR), a security consulting and training firm that delivers practical security solutions to homes, businesses, schools, houses of worship, and other organizations. He is an active law enforcement officer with over 10 years of experience in investigations, crime prevention, and public safety. He holds Florida Crime Prevention Practitioner and Florida Crime Prevention Through Environmental Design (CPTED) Practitioner designations along with FBI-LEEDA Public Information Officer certification at both levels. He also specializes in emerging threat assessment, with a focus on the drone threat landscape and its implications for civilian organizations.