September 21, 2015 By Christophe Veltsos 4 min read

Whether it’s communicating in the boardroom, communicating during a crisis such as a data breach or communicating to subordinates, CISOs must carefully weigh the impact of their words. But they also have to recognize that the cultural norms of their audience will result in the same message being perceived quite differently across national or organizational cultures. Thus, today’s CISOs would be wise to consider their own cultural norms and that of their audience when crafting a message. This article covers two such norms with a high degree of relevance to those in security leadership: Power Distance Index and the Uncertainty Avoidance Index.

In his 2008 book “Outliers,” Malcolm Gladwell traces several aviation disasters to a breakdown in proper cockpit communications due to cultural factors that prevented the co-pilot from properly relaying the urgency of a situation. Gladwell points to the Power Distance Index (PDI) as a major factor in those crashes.

Pilots are trained to follow a strict protocol of sterile cockpit communication during takeoffs and landings to provide maximum signal to each other while also allowing for important updates or alerts to provide the best possible outcome in case of a flight emergency. Not only must pilots and co-pilots think clearly, but they also have to communicate in a way that leaves virtually no doubt as to the meaning being conveyed.

Note that not everyone agrees with Gladwell’s argument connecting PDI as a major factor in the airline crash cases he covers. The reader is encouraged to read this rebuttal regarding Korean Air’s disasters.

About the Power Distance Index

The Power Distance Index is a term coined by professor Geert Hofstede, a Dutch social psychologist — and former IBM employee — who developed a framework for assessing the effect of national and organizational culture on behavior. The initial framework consisted of four key elements: power distance index (PDI), uncertainty avoidance (UAI), individualism (IDV) and masculinity (MAS). Later, two additional dimensions were added: long-term orientation (LTO) and indulgence versus restraint (IVR). Let’s explore the first two in more detail since they relate to the impact of CISOs’ words and actions on the behavior of their audience.

Hofstede defined PDI as “the extent to which the less powerful members of organizations and institutions (like the family) accept and expect that power is distributed unequally.” This is meant to be a measure of the tolerance for power and inequality from the perspective of the person with less power. Thus, a manager giving an order in a high-PDI culture will expect full compliance from the lower ranks.

According to Hostede’s data, the five countries with the lowest PDI are: Austria (11), Israel (13), Denmark (18), New Zealand (22) and the German-speaking parts of Switzerland (26). The five countries with the highest PDI (i.e., the highest tolerance for power inequality) are: the Philippines (94), Guatemala (95), Panama (95), Malaysia (104) and Slovakia (104). For comparison, the U.S. scores 40, Great Britain scores 35, Germany scores 35 and France scores 68.

Measuring Uncertainty Avoidance

UAI measures “a society’s tolerance for uncertainty and ambiguity. It indicates to what extent a culture programs its members to feel either uncomfortable or comfortable in unstructured situations. Unstructured situations are novel, unknown, surprising [and] different from usual.”

National cultures with high degrees of UAI will be more likely to have strict laws and believe in a unique, absolute truth. Conversely, uncertainty-accepting cultures are more likely to be tolerant of opinions that differ from their own and consider the validity of someone else’s opinion. Hostede’s data shows the five countries with the lowest UAI are Singapore (8), Jamaica (13), Denmark (23), Sweden (29) and Hong Kong (29). The five countries with the highest UAI are Belgium-Netherlands (97), Uruguay (100), Guatemala (101), Portugal (104) and Greece (112). For comparison, the U.S. scores 46, Great Britain scores 35, Germany scores 65 and France scores 86.

The combination of PDI and UAI can provide surprising results. For example, the profile of the French culture along these two dimensions (PDI of 68 and UAI of 86) shows a culture in which laws and structure are expected, but “given the high score on power distance, which means that power holders have privileges, power holders don’t necessarily feel obliged to follow all those rules which are meant to control the people in the street. At the same time, commoners try to relate to power holders so that they can also claim the exception to the rule.”

Analyzing Communication Patterns

Taken together, the PDI and the UAI provide a framework to analyze one’s own reasoning and interactions with others. For example, someone coming from a high-PDI culture will expect his or her orders to be acted upon without question. Worse, if the listener is from a low UAI culture, he or she may not seek additional input or clarification from the boss, which could result in the execution of an incomplete or erroneous task.

A 2010 paper titled “Exploring the Influence of National Cultures on Non-Compliance Behavior,” published in the journal of the International Information Management Association, confirmed the influence of national culture on employee behavior. It also cautioned that in countries with low UAI scores, employees might seem more willing to “bend the rules” based on their own personal judgment.

As the sphere of interaction for CISOs continues to expand, so, too, grows the potential for communicating to different types of cultural backgrounds — including the you-must-not-be-from-IT culture. Take a moment to consider your own cultural profile and that of your audience when crafting the message at hand.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today