The Culture Map

Maps are one of the ultimate data visualization tools, though they are seldom thought of as such. The same techniques used to express relationships between physical locations can be used to visualize all kinds of data. Maps help us see relationships that would otherwise be too complex or abstract.  

Lance Hayden’s Competing Security Cultures Framework (CSCF) is a prime example of using maps to visualize enterprise security cultures.

Process Culture (upper left)

A Process Security Culture tends to be internally facing and tightly controlled, likely quite bureaucratic in nature. Things get done by the book and there's a "book" (or a policy or SOP) for almost everything. These cultures value stability and standardization as the key to their success. This process culture is best described like a police officer, who is often described as having an internal locus of control, high self-efficacy—which is to say that they are confident that they know the right thing to do and are not influenced by external factors in carrying it out. This quadrant loosely maps to the Watch Dog and Crypto Cat personality types, which influence security cultural perception through the lens of ensuring internal policies are followed.

Compliance Culture (upper right)

A Compliance Security Culture tends to be externally facing and tightly controlled, likely due to an environment of audits, competition and external scrutiny. Documentation and evidence are the lifeblood of the organization. These cultures value conformity and repeatability as the key to their success. This quadrant loosely maps to the Watch Dog and Crypto Cat personality types, which influence security cultural perception through the lens of ensuring external regulatory best practices are followed.

Autonomy Culture (lower right)

An Autonomy Security Culture tends to be externally facing and loosely controlled: the classic startup model. People are given autonomy and authority to do what they need to, innovating in order to get results. These cultures value flexibility and agility as the key to their success. This quadrant loosely maps to the Digital Narwhal personality type, which influences security cultural perception through a quirky, innovative lens.

Trust Culture (lower left)

A Trust Security Culture tends to be internally facing and loosely controlled, a community of empowered stakeholders. Everyone has skin in the game and is driven to share success and failure collectively, not as individuals. These cultures value communication and mutual commitment as the key to their success. This quadrant loosely maps to the Zen Fox personality type, which influences security cultural perception through a relationship-based, people-centric lens.