How to Inspire Change in Your Security Culture

Adopt the best practices of change management to inspire employees to comply with security practices.

Does your security mandate come across like an order? If so, it’s the equivalent of telling a child to take out the trash. And your ability to inspire employees to comply with security practices may fall short of your goal. The solution for security professionals is to adopt the best practices of change management, according to Debra Logan, vice president and Gartner Fellow, in her session, Changing Your Security Culture: Why Change Is Hard and What to Do About It at the Gartner Security & Risk Management Summit in National Harbor, Maryland.

“We assume people resist change because classic change management doesn’t work,”  Logan says. Surveys often show that only one third of people in an organization are engaged and these are the people who may comply with security protocols. The other two thirds are at risk of violating those principles. So, first seek to change people’s engagement with the enterprise, and then with your security program.

Remote Work During COVID-19 and Beyond

A cross-functional panel of Gartner experts discusses remote work challenges and best practices.

Attend Webinar

Tap into human nature
Change is often difficult because we overestimate rational thinking and underestimate the big role that emotions play in our decision making. “We think if we push hard enough people will change. And we prevent people from changing by putting obstacles in their way,” Logan says. Recognizing, however, that all decisions involve some element of emotion can help change efforts: After all, emotion is engagement.

Security professionals can tap into employee emotions and other workplace motivators by using video conferencing instead of email communications and appealing to a sense of purpose. For example, instead of suggesting that people should want to protect their customers’ data, which is an abstract concept, make it personal by suggesting that they would want to treat corporate and customer sensitive data the way they want their own personal sensitive data protected.

Another tactic is to tap into the human desire to avoid social exclusion. “We’re herd animals, we need each other,” Logan says. Therefore, make social change a group exercise. “Instead of posting on the Intranet, have a meeting about what you want changed,” she suggests. This also provides a chance to involve people in the process as a method of increasing their engagement.

Logan says that presenting a business case with numbers won’t inspire followers. Instead, security leaders should craft a vision to help the organization understand why it’s necessary to make changes to the firewall, governance, or other security matters. Explain what’s in it for colleagues and the broader organization, and create an emotional connection to help people understand what matters to them at work.


Video replays from the Summit are available at Gartner Events on Demand.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

2019-2021 Emerging Technology Roadmap for Large Enterprises

We gathered expertise from IT professionals across 198 organizations to benchmark adoption stages and risk and value factors for 108 infrastructure and operations technologies for this year. The emerging technologies profiled are spread across six technology buckets: compute and storage, compute and storage (cloud), digital workplace, IT automation, network and security.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching