The CISO as Enterprise Integrator

The whole is greater than the sum of its parts.”  ~Aristotle

Even in the 4th Century BC, it was understood that functions within an organization working  together for a common goal produced better results than working independently. Somewhere between Aristotle and the modern MBA program this lesson seems to have been lost as functional excellence became a key criteria for bonuses and promotions. As a result of the recent movement towards digital transformation and organizational agility, the importance of enterprise integration is only now being rediscovered. Yet most organizations are hardwired for functional thinking, with budgets and recognition systems as heavy influencers of silo behavior.

Take the example of the Three Mile Island Nuclear Accident, where strong silo behavior and a focus on functional excellence led to poor information flow between departments that needed to work together. The result? Lack of communications, internal competition and poor trust compounded a technical fault into a major accident. In their excellent book, Meltdown: Why Our Systems Fail and What We Can Do About It, Chris Clearfield and Andras Tilcsik clearly point out how in complex systems small mistakes and communication blockages can lead to catastrophic results.

Today’s businesses and organizations are becoming increasingly complex.  And the rush towards integrating digital technologies into every aspect of the organization dramatically increases that complexity. Supply chains have become massively complex and often harbour significant business risks. And in many cases these critical supply chain risks are invisible to management. And manufacturing is no longer isolated from marketing and sales, since the customer experience is becoming a significant competitive advantage in many industries.  

We are working in ever increasingly complex organizations and it seems that the only person who cuts across the silos and looks after the “big picture” is the CEO. But with the increasing external demands on the time of the CEO, efforts at enterprise integration and getting multiple functions to work together for a common enterprise objective often take a back seat.

Organizational silos are a significant business risk!

An Important Role for the CSIO

The growing tsunami of attacks from cyber criminals and nation-state bad actors is seen as one of the top business risks by business leaders. A single breach could wipe billions off market value, cost millions in loss of downtime and system recovery, plus significantly damage both customer and employee trust in the company.

While cyber security lies squarely in the job description of the cyber security department, seeing cyber security as a functional responsibility is both naive and extremely risky. With 80% of cyber breaches the result of employee mistakes and behaviour, cyber safety becomes an enterprise issue, not a functional issue. And all employees, from the C-suite to the night cleaning crew, and from the Call Center to the outsourced staff are important links to cyber security.

At a recent workshop on cyber security culture and risk mapping for a large European based global bank, it quickly became apparent that cyber safety was an enterprise issue. The culture and risk mapping exercise revealed several key departments that have a significant impact on overall cyber safety, but had few significant interactions with the Cyber Security department. These were Physical Security, Information Technology, and Human Resources. Each have their own functional objectives, budgets and challenges, yet in many ways all have a direct and significant impact on cyber security inside the organization. And the C-suite also stood out as critical to overall cyber security; not just for their contribution to “tone at the top”, but for the significant number of cyber security exceptions generated by this group.

Silo focus and lack of overall alignment on key enterprise objectives often lead to sub-optimization, and hidden business risks.

No alt text provided for this image

In our experience, the CISO is in the perfect position to be the catalyst for organizational alignment since cyber security risks reside in every function and every individual employee action. The CISO is one of the few in an organization that has an enterprise-wide perspective on security risks and could effectively act as the enterprise integrator, helping to mitigate current and potential cyber risks to the organization. A breach may happen in one area or from one action, but its impact is enterprise wide and effects everyone. While market risk or operational risk are impacted by one or two functions, cyber security risk is inherent in every function and every employee.

Currently the role and responsibilities of the CISO is not well defined, and there is much discussion as to where the CISO should report and the breadth of their remit. Those companies that fully understand the enterprise and business risks of a cyber breach tend to have the CISO sitting on the senior leadership team. But in most cases, the cyber security function is still seen as a secondary technology cost center reporting to the CIO or in some cases the Chief Risk Officer, CFO COO or even the Legal Counsel. According to a study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO. And the Global State of Information Security Survey 2018 estimated the financial losses as a result of reporting relationship of the Chief Security Officer.

No alt text provided for this image

We believe that seeing cyber security as a business issue and not a technology issue is key to putting in the proper organizational structure and reporting relationships to allow the CISO to act as an enterprise integrator.

It is impossible to determine when or where many business risks come from, but cyber attacks are continuous, growing and a serious business risk.

John R Childress. Chairman, CulturSys, Inc.

Posted in Uncategorized | Leave a comment

Cyber Security, Traffic Lights and Roundabouts

Warren Buffett famously remarked: “Risk is not knowing what you are doing.” Simple yet profound. Many a time I have fallen victim to an overinflated sense of my own abilities and suffered the consequences, sometimes to my own ego and sometimes to my pocketbook.

After studying and advising on corporate culture for the past 35+ years I have developed a twist on Warren’s sage quote. Mine goes like this:

Risk is also not knowing what your culture is doing.

We know by now that corporate culture matters and plays a significant part in business successes, failures and yes, risks. Compare the stellar performance record of Southwest Airlines to the hubris and fraud at Volkswagen or the fall of the once revered Wells Fargo bank. Corporate culture is either a performance enabler or a business risk.

And corporate culture has a huge role to play in cyber security.

Traffic Lights and Roundabouts

I learned to drive in the US where stop signs and later traffic lights were the norm. I failed my first driving test at 16 for not looking both ways at the intersection before proceeding through. Now when I drive it is an automatic reflex.

However, for the past 25 years I have lived in the UK, where roundabouts are the norm and traffic lights a more recent addition. My first encounter at a UK roundabout was as a tourist and it was a mess. Not only was I driving on a different side of the road in a rental car with the steering wheel on the other side, but I was totally ignorant of the “rules” related to roundabouts. Needless to say, I was not popular at that particular intersection but thankfully my passengers and I escaped unharmed, as did the other cars, who honked vigorously as if to acknowledge my stupidity.

Both traffic lights and roundabouts have rules and it is easy to understand how an accident could happen when a driver is ignorant of the rules and driving “etiquette”. But what happens when we know the rules? Is there a safety difference between traffic lights and roundabouts? And if so, why? And what the heck has all this got to do with cyber security?

Accountability for road safety

When one looks at data on traffic accident rates for roundabouts and traffic lights, and also stop signs, a startling difference occurs. Here are two sets of graphs that tell a very interesting story.

The facts are clear, roundabouts are much safer in terms of accidents, and particularly fatal accidents than either stop signs or traffic lights. And by studying human behavior, it becomes clear as to why.

Roundabouts work well because each driver takes personal accountability for their own safety and the safety of other cars as well. This shared accountability causes drivers to focus on their driving and the behavior of other drivers, pay attention in all directions and evaluate multiple possible scenarios for remaining safe. Also, the speed of cars in a roundabout is much slower than on the open road.

Driver behavior at stop signs is full of assumptions. If I stop, others will stop as well. Once I stop, it is okay to proceed. All other drivers understand the same rules about stop signs and have the same values of road safety as I have. A lot of assumptions! And they are often false. People run stop signs when in a hurry or when distracted and serious accidents occur.

Traffic lights on the other hand have proven to be extremely hazardous because people rely on the technology for their safety rather than taking personal accountability. Green means Go, Red means Stop and Yellow should mean caution. But when it comes to human behavior, being first, beating the light, zooming through a Yellow, being first off the line when the light turns Green are very real, and often dangerous human actions. And the statistics show this clearly. Relying on technology to keep us safe is not 100% failproof.

Accountability for Cyber Security

We are definitely losing the war on cyber security. It’s a technology arms race with the bad actors overcoming and one-upping our every attempt to build and deploy cyber safe technologies. In fact, there is close to a 100% probability that you, your family and your company will be hacked at some point. And the costs are huge. Last year global cybercrime was estimated at around $600 billion, and today it is well over $1 trillion. And each cyber breach costs the average business over $3 million in recovery costs, lost revenue, damage to customer loyalty, loss of employee trust in management, and numerous other costs.

And now we come to the analogy between cyber security and road intersections. Just like traffic lights, we cannot rely on technology to keep us cyber safe. We must take personal accountability. And in the corporate setting, that means building and sustaining a cyber safe culture where employees at all levels take personal accountability for keeping themselves and the company cyber safe.

Building accountability for cyber safety takes more than workshops and training classes. These are useful, but not sufficient. Accountability definitely has an educational component, but personal accountability cannot flourish in a culture of poor trust, blame, finding fault, bullying and negative peer pressure, lack of transparency and feedback, and poor leadership. PowerPoint decks, written values on the walls, and all hands meetings may talk about cyber awareness and accountability, but when the pressure is on for cost control, making the schedule deadline and being driven to accomplish impossible goals are the norm, remaining vigilant and personally accountable for cyber safety often takes a back seat. And the back seat is a dangerous place to pilot a speeding car, let alone a large organization facing a tsunami of cyber attacks.

The other barrier to being accountable for cyber security comes from the fact that we have very poor, if any, data or organizational models as to how culture and employee behavior impact cyber security. We have mountains of reports and terabytes of data about the technological aspects of cyber security, but almost none about the people side.

About CulturSys and Cyber Security Culture

To date, cyber security has mostly been reliant on technology and regulations (policies and compliance). They are definitely important, but as we are currently experiencing across the globe, not sufficient. We need a third leg to the cyber security stool — culture. And not just an amorphous culture, but a specifically designed cyber security culture.

CulturSys, Inc., whose founders have over 35+ years of experience in helping global organizations reshape culture to improve business performance, has been focusing its expertise on data analytics and management tools to help build and proactively manage cyber safe cultures. We see culture very differently than most. We understand that culture is actually a business system, or network, of key influencing factors inside the company that drive employee attitudes and behaviors. And we can now visually map these factors.

Using a combination of data analytics, systems modelling and behavioural science we have developed a software platform to visually map cyber security culture and identify, using internal company data, potential cultural risks to cyber security. In addition, we have developed an extensive library of cultural best practices to support business leaders in building a more robust cyber security culture.

Combining data analytics, technology and human behavior insights will go a long way in creating a more accountable culture that reduces cyber risks.

John R Childress. Chairman, CulturSys, Inc.

Posted in Uncategorized | Leave a comment

Cyber Security Culture: The Missing Link

Broken chain on white background

An effective business strategy is comprised of a series of core elements. Competitor analysis, product-market fit, and organizational capabilities are critical components. They are key links in the chain that enables successful delivery of the business strategy.

Likewise, effective cyber security has several core elements. The two links most CISOs and business leaders focus on are technology and compliance. Advances in threat detection and internal monitoring technologies are making it harder and harder for bad actors to get inside a company and wreak havoc. And regulatory compliance policies and processes have the benefit of focusing our attention on prevention and quick response.

If these were all we needed, then we should be winning the cyber security war. But all too often it seems that we are not winning, and in some cases falling far short. The global cost of cyber-crime is currently at around $600 billion and is expected to top $1 trillion very soon. The growth rate of cyber attacks increased 27% between 2017-2018. It’s getting more and more expensive to invest in technology and compliance to try and keep up.

It’s not just large companies being targeted by the growing number of hackers, criminal gangs and nation states. All sizes of business as well as political, governmental and social organizations are under attack. Small organizations don’t have the capital for the latest cyber technology and additional compliance is often a cost burgeon as well.  Yet a successful breach in a small company can easily lead to its demise.

We need another strong link in the cyber security chain!

Cyber Security Culture

Corporate culture is either an enabler or a barrier to successful strategy execution. The same is true for cyber security and so far, we have paid only lip service to the importance of a cyber safe culture. And the data clearly shows how important it is to the cyber security equation.

One of the fundamental reasons why organizations are not focusing more on cyber security culture is the traditional way culture has been defined and how difficult it is to accurately assess the causes, or drivers, that determine our culture?” currently have very little data. Most culture data is subjective at best and the result of employee surveys. I honestly doubt that employee surveys give us a real picture of the culture, and certainly not the cyber security culture.

 The classic definition of culture, established in the 1970’s by Professor Ed Schein of MIT Sloan School of Management, focuses on employee behaviours, beliefs and shared values. As a result, most culture assessments and definitions use employee surveys focused on behaviours, beliefs and values. Extremely hard to quantify and even harder to connect to business outcomes.

But what if such behavioural definitions of corporate culture were actually describing the outcome of a culture, and not the culture itself? An important question in order to understand culture more deeply is “what in the organisational system is driving or influencing people to behave in habitual ways inside this company”? With this question in mind, we open up a more fruitful understanding of culture and can define cyber security culture in a way that allows us to map, model and quantify the culture and its impact on cyber risk.

Cyber Security Culture (CSC) is an interconnected system of policies, processes, rules, company goals, leadership focus, management and supervisory actions, and employee attitudes that together influence how all employees behave towards cyber security. 

Looking at cyber security culture as a business system can give the CISO and business leaders new insights, and most importantly, point out specific cyber security risks that are inherent in the culture, but previously invisible.

  • Data and metrics are readily available inside the company that can help determine which specific elements of the culture act as security enablers or risks
  • Seeing cyber security culture as an interconnected system helps employees better understand how their work and actions directly impact the health of the company.
  • A cyber security culture system map points out those various business functions that are acting as stand-alone silos and not an integrated part of the cyber security solution.
  • Cost effective solutions can be easily pinpointed to improve the overall effectiveness of cyber security, saving resources and costs against standard across the board “culture improvement” programmes.
  • The effectiveness of the cyber security culture can be tracked over time and linked directly to important business metrics. Thus, improving the culture will have a direct impact on cyber security and can be measured.

A business systems model can help executives proactively manage the culture using culture analytics to determine the cyber security impact of proposed change activities.

By having technology, compliance and culture all in the tool kit of the CISO, we can make even greater progress on protecting our information and our people from the growing tsunami of cyber crime. Cyber security culture can become a responsive and adaptive “human firewall”.

Written and Posted by: John R. Childress

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

Posted in Uncategorized | Leave a comment

Rugby Values & Corporate Values

I grew up in the US in the 60s and the dominant sport in my hometown, like many other parts of the country, was football. So when I moved to the UK it was difficult to stay awake late at night to watch televised American football. So I started gaining an interest in Rugby. It took a while to learn the rules, as they are quite different from American football, but the fast pace and overall size of the players soon captivated me.

There are lots of colloquial sayings about Rugby. A couple of my favourites are:

How we win the game shows something about our character;

how we lose it shows all of it.

Rugby is a hooligans game played by gentlemen.

The last is purportedly a quote by Winston Churchill.

Currently the Six Nations Rugby Championships are being held. The six teams, Scotland, Ireland, Italy, France, England and Wales, are perineal rivals and the play is fast and fierce, with huge bragging rights on the line.

Last weekend I watched the England v France game on TV. While England dominated the play and won 44–8, it was not the scoring that made a lasting impression on me, but an incident between two players and the referee. Basically after a gang tackle one of the England players pretty obviously slapped a French player on the head and grabbed his head gear to pull him to the ground. There had been some extremely rough tackles previously and tempers were obviously hot. Quickly a pushing match ensued with players from both sides joining in.

After the referees separated the two teams, the Head Referee called over the offending England player and this team captain. I fully expected him to cite the rules of the game and send off the offender. Instead, he reminded both players about the “rugby values” of fair play and sportsmanlike conduct and how the only way this game works is for all players to live and play according to these rugby values.

What amazed me was that both the offending player and the captain looked seriously contrite and apologetic, knowing full well they had not only broken a sacred value, but let the game down. Promises were made and the game resumed, without any more incidents.

I contrast this to my experience of American football where the referee faces the crowd, used a microphone to recite the rules, and punishment is given to the offending team. Very often the guilty player throws a temper tantrum, proclaiming his innocence or blaming the other side. Great theatre, but poor sportsmanship.

The world of Rugby takes the game, and their values very seriously. These values not only define the game, but also define the players as well, and every member of a rugby organization, from the Scrum Half to the Head Office, believe in and uphold these values. In rugby, the values are the game!

Corporate Values Are Not the Game

Like rugby, most companies have a code of ethics and values and in many cases they are featured on the website, in the annual report, hung in the lobby and hallways. Some even have them in all meeting rooms. But in my 40 years of management consulting on leadership, culture and performance, it is rare as hen’s teeth to hear an employee being reminded by a manager or supervisor of the company values after a business breakdown, safety error, missed objective or cost overrun. Corporate values in most cases are a tick-the-box, HR or Corporate Communications event. And this is especially true when they are featured in annual performance reviews when bonuses are on the line.

Consider the staggering $350+ billion in fines for unethical behaviour in banking over the past 9 years. Don’t say this is the case of a few rotten apples. The culture of banking, and many other industries, runs on profit, not values. And in a culture where speaking up about potential ethical issues is slapped down and whistle blowers are vilified and bullied, senior managers resist looking “under the hood” when profits are high. Values and ethics sit at the back of the bus in many companies.

You may argue that business and rugby are different, one is just a game and the other is a serious enterprise with shareholders. True, but rugby is also a business with over 5 million active professional players worldwide and merchandising alone is a $2 billion business.

And here is something to think about. Rugby fans are fiercely fanatic about their clubs and worship the players. And they have to pay to watch. How many employees, who get paid, are as fanatic about their company and worship their senior managers?

I believe it has something to do with having written values versus living the values. In my view, values and profit are two sides of the same coin of commerce. Can values and profit coexist? I certainly hope so, otherwise business will never be the force for positive social leadership ad change that is could be.

Written and Posted by: John R. Childress

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

Read John’s blog

Posted in Uncategorized | 1 Comment

The Evolution of Corporate Culture & Culture 4.0


“I know corporate culture impacts business performance; but I don’t have a clear understanding of how to manage culture to ensure we achieve the business results we have planned and promised.” ~ a frustrated CEO

Corporate Culture is one of the most talked about topics by business leaders today, and for good reason. The business impact of a weak or misaligned culture has become more pronounced over the last 10 years as company after company, from banking, insurance, airlines, auto manufacturers and energy utilities have experienced billions of dollars in fines and share price declines as a result of issues ultimately stemming from a misaligned or even toxic corporate culture. Culture has a powerful positive or negative impact on business performance, company reputation and brand value.

Consider the banking fraud at Wells Fargo perpetrated by a culture of relentless pressure on staff to meet very aggressive sales quotas. Or the cover up by Volkswagen of fake CO2 emissions data. And recently the toxic culture at Uber allowing its rival, Lyft to gain significant market share. Then there is Equifax covering up the public exposure of millions of private customer records through multiple cyber hacks.

On the other hand, Southwest Airlines and its “culture of LUV” has contributed to 43 straight years of profitability, plus the highest customer satisfaction scores in the airline industry. And the “innovation culture” at Amazon enables it to penetrate and dominate in multiple business sectors by disrupting old business models and revolutionizing the customer experience.

The economics are compelling, manage culture well and your organization can experience growth, brand recognition and financial rewards that attracts and keeps employees and builds customer satisfaction and loyalty. Manage culture poorly and your organization may experience massive fines, customer defections, high employee turnover and loss of brand value.

There is growing consensus among business leaders and academics that culture matters. Corporate culture often provides the key differentiator that elevates performance to the next level. What is not so clear is precisely HOW business leaders can actually MANAGE culture to add value to their brand and capture sustainable industry leading business performance.

The Evolution of Corporate Culture

The evolution of modern business has evolved over the last several centuries in discrete phases, each powered by a significant advance in technology and scientific understanding. The first industrial revolution started in the late 1700’s with the introduction of mechanical production powered by water and steam. In 1784 the first mechanical loom revolutionized weaving and reshaped many early industries. The second industrial revolution arrived in 1870 with the first assembly line, a product of the introduction of division-of-labor and mass production powered by electrical energy.

In 1969 we witnessed the third industrial revolution, the use of electronics and programmable IT systems to further automate tasks and production. And today we are experiencing the fourth industrial revolution, the explosion of disruptive innovations through the digitization of business processes, open access to massive amounts of information, hyper-connectivity, artificial intelligence and the Internet of Things. The evolution of business has led to massive improvements in productivity and speed and added more and more value to the world GDP and to the wellbeing of many people.

In a similar manner, our understanding, application and approach to corporate culture has evolved over the past 70 years. And with each new phase the effectiveness, value and ability to impact business results has increased. In the chart below we summarize our view of the evolution of Corporate Culture.

Culture 1.0 — Defining Corporate Culture: The formal concept of corporate culture began in 1951 with the early academic studies of Elliott Jacques in manufacturing companies. This early introduction of how an organization’s culture could impact performance was followed by further academic studies by Edgar Schein from the MIT Sloan School of Management and others. To better define the concept of corporate culture, two academics from the University of Michigan, Robert Quinn and Kim Cameron developed a 4-quadrant model, called the Organization Culture Assessment Instrument (OACI), which remains as one of the dominant tools to assess and describe culture.

Culture 2.0 — Linking Culture and Business: In 1982 the New York Time best-selling book, In Search of Excellence by Tom Peters and Bob Waterman burst into the boardroom. The book described how so-called excellent companies used vision, values and behaviors to drive superior business performance compared to their peers. Studies by Professor John Kotter of Harvard started to research data on the linkage between culture and business. As a result, between 1982 and 2000 we saw the rise of numerous culture training firms using top down behavioural/culture change workshops for all employees to develop new behaviors more in alignment with new business models and the desired culture.

Culture 3.0 — HR Technology and Culture-by-Design: The rise of technology and digitization has impacted approaches to understand corporate culture over the last decade, with new digital assessment and survey tools in an attempt to measure employee engagement. Following the phenomenal rise of, which went from zero to $1 billion in revenues in just 10 years due to its fanatical focus on a culture of service and high employee engagement, many technology-based start-ups, like Google and Amazon set out to build strong cultures of employee engagement as a way to drive growth and performance. Sensing a business opportunity many consulting firms have begun developing and selling ways to measure employee engagement as a proxy for corporate culture. Today there are many survey applications being offered to measure employee engagement, attitudes and compliance. These survey applications provide good information on employee behaviour and provide a way for employees to engage with their organization. However, employee behavior only represents one aspect of culture. Although a narrow view of culture, measuring employee engagement through technology has helped companies begin to take corporate culture more seriously.

Culture 4.0 — Corporate Culture as a Business System: Up till now, culture has been defined, assessed, measured and managed primarily as a collective set of beliefs, mindsets and behaviors, using surveys as a way to determine the gap between the current culture and the desired culture. And these culture assessments, for the most part, are a reaction to a perceived culture problem and performed periodically, usually on an annual schedule. Trying to improve culture reactively and periodically only takes an organization so far and has currently created a growing cynicism among Boards, CEOs and business leaders as mostly an “HR thing” and not very useful for running the business. And this at a time when more senior leaders are seeing and understanding the economic imperative for actively managing culture!


The recent publication of John R. Childress’s ground-breaking business book, Culture Rules! in late 2017 introduced a radical idea concerning corporate culture. What if we looked at culture as a business system? A system which contains multiple drivers that interact with each other, like the elements in an ecosystem, to determine the “way we do things around here”. It is the dynamic interactions between the drivers within the culture system that influence the collective attitudes and behaviors of employees and subsequently, business results.

Corporate culture reflects the complex interactions between business strategy, processes, structures, technology, policies and people. These interrelated culture drivers form an end-to-end system, the corporate culture system. Although leadership behaviors and values are some of the most written and talked about drivers of corporate culture, those two ingredients alone are insufficient to fully understand and manage corporate culture to improve business performance.

“If you can’t describe what you are doing as a process,

you don’t know what you are doing.” -W. Edwards Deming

Seeing culture as a business system allows one to better understand not only the drivers of culture but more importantly where they reside in the company. Those familiar with extended supply chains will understand the value of mapping how materials flow from multiple suppliers in diverse locations into the company warehouse, onto the manufacturing floor and into the final product. Corporate culture can also be viewed as a system, or flow process. The drivers inside such a system provide the meaning and context for what we see as cultural behaviors and habitual work practices, often described by current employees as “how we do things around here.”

“Wells Fargo designed a system that produced bad behavior. When you find that out, you must do something about it. The big mistake was they didn’t do something about it.” -Warren Buffet

Summary: Mapping and Managing Corporate Culture

Corporate culture is a business system with multiple culture drivers.

Manage the drivers and you can manage the culture.

An in-depth understanding of corporate culture requires seeing it as an end-to-end business system, which begins with vision and strategy, linked to the major drivers of culture and ends with business performance outcomes. By constructing an end-to-end culture system map and then stepping back, it is much easier to see the many culture drivers that exist and their link to business performance. With this knowledge, a savvy leadership team can use a Culture-System-MapÔ to better align the culture drivers with their business model and strategic objectives and make better business decisions.

Several useful insights emerge when corporate culture is viewed as a business system. With this point of view, not only are the real drivers that shape, build and sustain the culture more easily identified and clearly defined, but a systems map of culture also makes it possible to identify the culture drivers that most impact business performance.

About CulturSys, Inc.

CulturSys, Inc. is a Culture Management Technology & Consulting Solutions company founded by three former CEO’s with a passion for building better businesses and improving the lives of people and the spirit and performance of their organizations in the Energy, Utilities and Financial Services Industries.

CulturSys, Inc. is built upon 35 years of hands-on consulting experience with Boards, CEOs and Senior Teams on shaping corporate culture for improved business performance and risk management. Using culture mapping, proprietary algorithms, big data, artificial intelligence, employee involvement and third-party assurance we deliver insights, systems and processes to manage the culture drivers that impact business performance and business risk.

Chairman at CulturSys, Inc.:

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

Posted in consulting, corporate culture, John R Childress, leadership, strategy execution, the business of business, Uncategorized | Leave a comment

Photography, Perspective and Corporate Culture



Photography has come a long way since I got my first camera in the 1960’s.  It was a Leica SLR with a normal lens and a telephoto, which I took with me to Beirut, Lebanon during my Junior year of college as an exchange student. I took hundreds of pictures, most of which didn’t come out that well, but I still had to develop the film and print contact sheets to find the good ones. At that time there was no fish eye lens or panoramic shooting and setting the exposure and focus were mostly manual activities. And it was heavy. And I certainly couldn’t take it under water on my diving trips without extra housing protection.  But at that time it was the best way for me to record the world around me and bring it home so others could hopefully understand my life-changing experience in Lebanon.

iphone-photo-kitNow days, photography has been revolutionized, first by digital and then by the iPhone. With an iPhone 7s a person can take hundreds of photos, see the results instantly on the screen, discard the bad ones, send them around the world to friends via Messenger or email, and even colour correct them. All within the same small, compact, light smartphone.  And there is even an ability to take panorama shots and video with the iPhone. Some creative types are shooting movies with just an iPhone. Plus it has an internal zoom capability.  And there are inexpensive clip on lenses for real telephoto picture-taking. Best of all, I can shoot underwater!

Comparing my old printed photographs with these new digital pictures gives one an entirely different perspective of the world. You can see more, capture more, save more and share more of the world around you.  And as a result, perhaps even better understand the world and your surroundings.

Apollo-17And remember those first photographs of earth from space? In December 1972, the crew of Apollo 17 took the first ‘Blue Marble’ image of the entire planet Earth and we gained a new perspective about the fragility of the planet we all live on.  Our planet is one big closed system and changes in one part can have a profound impact on other parts.

A New Perspective on Corporate Culture

In my recent book, CULTURE RULES! The 10 Core Principles of Corporate Culture, I look at corporate culture from a different, wide-angle, all encompassing perspective, using new tools to really understand what shapes, drives, and sustains the habitual work behaviors and attitudes that most people think of as corporate culture.  Just thinking of corporate culture as behaviors is like trying to photograph a broad landscape through a straw!  You only see a narrow aspect of the entire scene.  Behaviors are only one part of corporate culture, the output, or results of what I term, the “corporate culture business system”.

The system is the culture.

By taking on the perspective and understanding that corporate culture is really a business system and an end-to-end value chain, not only can we see the outputs (=behaviors), but also the inputs and drivers that interact within that system to create your specific and unique corporate culture. All cultures have similar drivers, but how they are woven together, their relative strengths, and how they interact means that each company has a different corporate culture, unique to it.

While two companies may be described as having a culture of poor teamwork, there is not enough information in this assessment for management to either reshape or change that set of behaviours.  But if we look at all the internal drivers, such as compensation, hiring practices, shared objectives, budgeting processes, reward systems and the focus of top management, it is now much easier to understand why there is poor teamwork, but more importantly, what drives those behaviours. And now we know the levers that need to be changed in order to produce a different set of behavioral outcomes.

Change the system, change the culture.

What are some of these “culture drivers” within the corporate culture business system?  Here are some of the key drivers of corporate culture and their relative impact on building and sustaining a company culture.  And you might be surprised by the relative strengths and which elements are the stronger drivers of culture.

Culture drivers

Learn More About Your Corporate Culture

If you want to better understand your own corporate culture, and find the important levers for change, take a look at CULTURE RULES!, now available on Amazon in paperback and eBook format.

culture rules book pictureThis wonderful book will transform our understanding of corporate culture. Seeing culture as a business system, and the 10 Core Principles that govern culture, can help leaders at all levels develop a high-performance organization. Finally, an approach to corporate culture that makes a compelling business case!

~ Stephen M. R. Covey, New York Times bestselling author of The Speed of Trust.



Written and Posted by: John R. Childress

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

Read John’s blog,

On Amazon:

CULTURE RULES!: The 10 Core Principles of Corporate Culture

LEVERAGE: The CEO’s Guide to Corporate Culture

FASTBREAK: The CEO’s Guide to Strategy Execution

Posted in Uncategorized | Leave a comment

Spider Webs and Corporate Culture


My little garden in London has a large number of spider webs that seem to be doing an excellent job of catching flies and mosquitos. In that sense, I don’t mind.  But when I pass through the garden in the early morning on my way to my office at the back, I frequently get a web in the face and spend the next few minutes extracting myself. They are definitely sticky.

When I have time, I enjoy just staring at these marvellous webs and their complex construction, so precise as to be the work of an engineering genius. So strong and delicate at the same time.  And when I really pay attention I notice that there are different types of threads. Most of the silk threads make up the interior network, each connected to the other to form the web network. And more often than not the spider sits at the very center of the web, each of its eight legs resting on one of the major sections of the web, which I assume allows it to detect which area of the web has a trapped and struggling moth or fly.  At which point the spider moves in for the kill, wrapping it in a cocoon of silk, thus storing the food supply for later snacks.

However, there are slightly thicker threads of silk that anchor the web to bushes or the iron railing around my garden.  These support the web structure, much like the support cables on a suspension bridge. Without these the web could not maintain its broad, wide and open shape.  These anchor threads are obviously critical to the entire support of the web.

And now to corporate culture:

“Systems are the essential building blocks of every successful business.” ~Ron Carroll

Culture rulesIn my latest book; CULTURE RULES!: The 10 Core Principles of Corporate Culture, I show that corporate culture is more than just behaviours, and “how we do things around here”.  The visible behaviours most academics and consultants think of as culture, are actually the outcomes, or end result, of what I call the “corporate culture business system“.  This is analogous to any end-to-end business system, such as a supply chain, where there are multiple value drivers along the chain from supplier to finished product.

Behaviours don’t just happen randomly.  We behave in certain ways in response to certain stimuli, or “drivers”.  A perceived injustice triggers one set of behaviours while a perceived kindness another. In an organisation, collective or habitual behaviours, what some call culture, are the outcome of various drivers (policies and processes) in place in the organisation that induce certain behaviours.

For example, a corporate culture business system may have a particular compensation policy or bonus scheme that encourages risk taking. And sometimes extreme compensation potential drives extreme, and even excessively risky behaviours. Such was the case in many global banks between 2004-2007 when the housing market was inflating, mortgages and lending rates were extremely low, and people were eager to invest with borrowed money. A culture of greed and casino-like behaviour grew inside many large banks, with excessive compensation policies as the driver. The inevitable result was a focus on personal and company profits at the expense of clients and customers and the inevitable global financial crisis that began in 2007.

There are many culture drivers in a typical corporate culture business system. But not all have the same strength.  And the internal strength of these drivers produce a specific collection of employee behaviours, or the visible culture.

This chart, from my book, CULTURE RULES!, shows the relative strengths of various culture drivers. You might be surprised to find Peer Pressure at the top of the list, but it is actually one of the strongest drivers of shared habits and collective employee behaviours, what we see as corporate culture.

Screen Shot 2017-08-22 at 14.38.50

Change the drivers, change the culture

Back to the Spider Web analogy:

Strong culture drivers such as Peer Pressure, Company Policies, National Cultures, and CEO behaviour are akin to the support threads of a spider web.  They hold the web together and the strongest culture drivers tend to determine the type of corporate culture. Stop and think about your particular corporate culture.  What behaviours stand out?  Then look at what elements of the organisation might be promoting these behaviours.  Many company policies and internal business practices may actually be driving unwanted behaviours that are out of alignment with your espoused company values.

Want to know how to reshape culture?  Look at the policies, business processes, leadership behaviours, hiring practices,  compensation and frequently told hero or bum stories and you will probably find the real drivers of employee behaviour.  Remember, culture is a business system.

A bad system will defeat a good employee every time. ~W. Edwards Deming

Written and Posted by: John R. Childress

Senior Executive Advisor on Leadership, Culture and Strategy Execution Issues,
Business Author and Advisor to CEOs
Visiting Professor, IE Business School, Madrid

Twitter @bizjrchildress

Read John’s blog,

On Amazon:

CULTURE RULES!: The 10 Core Principles of Corporate Culture

LEVERAGE: The CEO’s Guide to Corporate Culture

FASTBREAK: The CEO’s Guide to Strategy Execution




Posted in Uncategorized | Leave a comment