September 21, 2015 By Christophe Veltsos 4 min read

Whether it’s communicating in the boardroom, communicating during a crisis such as a data breach or communicating to subordinates, CISOs must carefully weigh the impact of their words. But they also have to recognize that the cultural norms of their audience will result in the same message being perceived quite differently across national or organizational cultures. Thus, today’s CISOs would be wise to consider their own cultural norms and that of their audience when crafting a message. This article covers two such norms with a high degree of relevance to those in security leadership: Power Distance Index and the Uncertainty Avoidance Index.

In his 2008 book “Outliers,” Malcolm Gladwell traces several aviation disasters to a breakdown in proper cockpit communications due to cultural factors that prevented the co-pilot from properly relaying the urgency of a situation. Gladwell points to the Power Distance Index (PDI) as a major factor in those crashes.

Pilots are trained to follow a strict protocol of sterile cockpit communication during takeoffs and landings to provide maximum signal to each other while also allowing for important updates or alerts to provide the best possible outcome in case of a flight emergency. Not only must pilots and co-pilots think clearly, but they also have to communicate in a way that leaves virtually no doubt as to the meaning being conveyed.

Note that not everyone agrees with Gladwell’s argument connecting PDI as a major factor in the airline crash cases he covers. The reader is encouraged to read this rebuttal regarding Korean Air’s disasters.

About the Power Distance Index

The Power Distance Index is a term coined by professor Geert Hofstede, a Dutch social psychologist — and former IBM employee — who developed a framework for assessing the effect of national and organizational culture on behavior. The initial framework consisted of four key elements: power distance index (PDI), uncertainty avoidance (UAI), individualism (IDV) and masculinity (MAS). Later, two additional dimensions were added: long-term orientation (LTO) and indulgence versus restraint (IVR). Let’s explore the first two in more detail since they relate to the impact of CISOs’ words and actions on the behavior of their audience.

Hofstede defined PDI as “the extent to which the less powerful members of organizations and institutions (like the family) accept and expect that power is distributed unequally.” This is meant to be a measure of the tolerance for power and inequality from the perspective of the person with less power. Thus, a manager giving an order in a high-PDI culture will expect full compliance from the lower ranks.

According to Hostede’s data, the five countries with the lowest PDI are: Austria (11), Israel (13), Denmark (18), New Zealand (22) and the German-speaking parts of Switzerland (26). The five countries with the highest PDI (i.e., the highest tolerance for power inequality) are: the Philippines (94), Guatemala (95), Panama (95), Malaysia (104) and Slovakia (104). For comparison, the U.S. scores 40, Great Britain scores 35, Germany scores 35 and France scores 68.

Measuring Uncertainty Avoidance

UAI measures “a society’s tolerance for uncertainty and ambiguity. It indicates to what extent a culture programs its members to feel either uncomfortable or comfortable in unstructured situations. Unstructured situations are novel, unknown, surprising [and] different from usual.”

National cultures with high degrees of UAI will be more likely to have strict laws and believe in a unique, absolute truth. Conversely, uncertainty-accepting cultures are more likely to be tolerant of opinions that differ from their own and consider the validity of someone else’s opinion. Hostede’s data shows the five countries with the lowest UAI are Singapore (8), Jamaica (13), Denmark (23), Sweden (29) and Hong Kong (29). The five countries with the highest UAI are Belgium-Netherlands (97), Uruguay (100), Guatemala (101), Portugal (104) and Greece (112). For comparison, the U.S. scores 46, Great Britain scores 35, Germany scores 65 and France scores 86.

The combination of PDI and UAI can provide surprising results. For example, the profile of the French culture along these two dimensions (PDI of 68 and UAI of 86) shows a culture in which laws and structure are expected, but “given the high score on power distance, which means that power holders have privileges, power holders don’t necessarily feel obliged to follow all those rules which are meant to control the people in the street. At the same time, commoners try to relate to power holders so that they can also claim the exception to the rule.”

Analyzing Communication Patterns

Taken together, the PDI and the UAI provide a framework to analyze one’s own reasoning and interactions with others. For example, someone coming from a high-PDI culture will expect his or her orders to be acted upon without question. Worse, if the listener is from a low UAI culture, he or she may not seek additional input or clarification from the boss, which could result in the execution of an incomplete or erroneous task.

A 2010 paper titled “Exploring the Influence of National Cultures on Non-Compliance Behavior,” published in the journal of the International Information Management Association, confirmed the influence of national culture on employee behavior. It also cautioned that in countries with low UAI scores, employees might seem more willing to “bend the rules” based on their own personal judgment.

As the sphere of interaction for CISOs continues to expand, so, too, grows the potential for communicating to different types of cultural backgrounds — including the you-must-not-be-from-IT culture. Take a moment to consider your own cultural profile and that of your audience when crafting the message at hand.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today