How to Inspire Change in Your Security Culture

Adopt the best practices of change management to inspire employees to comply with security practices.

Does your security mandate come across like an order? If so, it’s the equivalent of telling a child to take out the trash. And your ability to inspire employees to comply with security practices may fall short of your goal. The solution for security professionals is to adopt the best practices of change management, according to Debra Logan, vice president and Gartner Fellow, in her session, Changing Your Security Culture: Why Change Is Hard and What to Do About It at the Gartner Security & Risk Management Summit in National Harbor, Maryland.

“We assume people resist change because classic change management doesn’t work,”  Logan says. Surveys often show that only one third of people in an organization are engaged and these are the people who may comply with security protocols. The other two thirds are at risk of violating those principles. So, first seek to change people’s engagement with the enterprise, and then with your security program.

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download Free eBook

Tap into human nature
Change is often difficult because we overestimate rational thinking and underestimate the big role that emotions play in our decision making. “We think if we push hard enough people will change. And we prevent people from changing by putting obstacles in their way,” Logan says. Recognizing, however, that all decisions involve some element of emotion can help change efforts: After all, emotion is engagement.

Security professionals can tap into employee emotions and other workplace motivators by using video conferencing instead of email communications and appealing to a sense of purpose. For example, instead of suggesting that people should want to protect their customers’ data, which is an abstract concept, make it personal by suggesting that they would want to treat corporate and customer sensitive data the way they want their own personal sensitive data protected.

Another tactic is to tap into the human desire to avoid social exclusion. “We’re herd animals, we need each other,” Logan says. Therefore, make social change a group exercise. “Instead of posting on the Intranet, have a meeting about what you want changed,” she suggests. This also provides a chance to involve people in the process as a method of increasing their engagement.

Logan says that presenting a business case with numbers won’t inspire followers. Instead, security leaders should craft a vision to help the organization understand why it’s necessary to make changes to the firewall, governance, or other security matters. Explain what’s in it for colleagues and the broader organization, and create an emotional connection to help people understand what matters to them at work.

 

Video replays from the Summit are available at Gartner Events on Demand.

Get Smarter

Gartner Security & Risk Management Summits

The latest insights on IT trends, evolving security tech and the ever-changing threat landscape.

Explore Gartner Conferences

Shift From Managing Risk and Security to Enabling Value Creation: SRM Leaders’ New Imperative

The moment has arrived for security and risk management leaders to act decisively to safeguard and support business objectives.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching