Does your security mandate come across like an order? If so, it’s the equivalent of telling a child to take out the trash. And your ability to inspire employees to comply with security practices may fall short of your goal. The solution for security professionals is to adopt the best practices of change management, according to Debra Logan, vice president and Gartner Fellow, in her session, Changing Your Security Culture: Why Change Is Hard and What to Do About It at the Gartner Security & Risk Management Summit in National Harbor, Maryland.
“We assume people resist change because classic change management doesn’t work,” Logan says. Surveys often show that only one third of people in an organization are engaged and these are the people who may comply with security protocols. The other two thirds are at risk of violating those principles. So, first seek to change people’s engagement with the enterprise, and then with your security program.
Tap into human nature
Change is often difficult because we overestimate rational thinking and underestimate the big role that emotions play in our decision making. “We think if we push hard enough people will change. And we prevent people from changing by putting obstacles in their way,” Logan says. Recognizing, however, that all decisions involve some element of emotion can help change efforts: After all, emotion is engagement.
Security professionals can tap into employee emotions and other workplace motivators by using video conferencing instead of email communications and appealing to a sense of purpose. For example, instead of suggesting that people should want to protect their customers’ data, which is an abstract concept, make it personal by suggesting that they would want to treat corporate and customer sensitive data the way they want their own personal sensitive data protected.
Another tactic is to tap into the human desire to avoid social exclusion. “We’re herd animals, we need each other,” Logan says. Therefore, make social change a group exercise. “Instead of posting on the Intranet, have a meeting about what you want changed,” she suggests. This also provides a chance to involve people in the process as a method of increasing their engagement.
Logan says that presenting a business case with numbers won’t inspire followers. Instead, security leaders should craft a vision to help the organization understand why it’s necessary to make changes to the firewall, governance, or other security matters. Explain what’s in it for colleagues and the broader organization, and create an emotional connection to help people understand what matters to them at work.