From Organisational Culture to Communities of Practice: Organisational Culture and Resilience in a Context of Co-Emerging Safety and Security Challenges

This paper reports from an early phase of a research effort engaging with organisations' response to emerging security threats in the oil and gas sector, combined with theoretical advances in cyber resilience. The ambition of the paper is to scrutinise the multi-dimensional appropriation of the term `culture' to guide behavioural change and compliance with management expectations, rules, and procedures. In addition, we direct attention towards the mechanism of fostering professional culture in communities of practice. We argue that culture is not first and foremost a (pre-)condition for practice, but rather a pattern resulting from practice over time. This implies a `practice approach' and a `work-as-done approach' to organisational culture, that facilitates communication between scholarly literatures that rarely meet: the safety and security culture literature, and the resilience literature. The discussion will use cyber resilience as a case, as it is widely recognized across industries that the state-of-the-art cyber security approaches urgently need to be reinforced by resilience principles. There is a risk that the cultural condition may be "lost in translation" of auditability, so that the way we operationalise safety culture/security culture as a management concept implies a risk of running the errand of compliance rather than facilitating resilience. We argue for more focus on communities of practice in organisations to develop an understanding of contextual conditions, professional competence, and discretionary space in organisations. We also suggest how this focus can be inscribed into a further development of theories about resilience in a cyber-/hybrid threat context.

Keywords: Safety culture, Security culture, IT/OT culture, Communities of practice, Resilience.