Does your security mandate come across like an order? If so, it’s the equivalent of telling a child to take out the trash. And your ability to inspire employees to comply with security practices may fall short of your goal.
The solution for security professionals is to adopt the best practices of change management, according to Debra Logan, vice president and Gartner Fellow.
“We assume people resist change because classic change management doesn’t work,” Logan says.
According to Logan, surveys often show that only one third of people in an organisation are engaged and these are the people who may comply with security protocols.
“The other two thirds are at risk of violating those principles,” Logan adds. “So, first seek to change people’s engagement with the enterprise, and then with your security program.”
Tap into human nature
Change is often difficult because we overestimate rational thinking and underestimate the big role that emotions play in our decision making.
“We think if we push hard enough people will change. And we prevent people from changing by putting obstacles in their way,” Logan adds.
“Recognising, however, that all decisions involve some element of emotion can help change efforts: After all, emotion is engagement.”
Logan believes security professionals can tap into employee emotions and other workplace motivators by using video conferencing instead of email communications and appealing to a sense of purpose.
For example, instead of suggesting that people should want to protect their customers’ data, which is an abstract concept, make it personal by suggesting that they would want to treat corporate and customer sensitive data the way they want their own personal sensitive data protected.
Another tactic is to tap into the human desire to avoid social exclusion.
“We’re herd animals, we need each other,” Logan adds. “Therefore, make social change a group exercise. Instead of posting on the Intranet, have a meeting about what you want changed.
“This also provides a chance to involve people in the process as a method of increasing their engagement.”
Logan says that presenting a business case with numbers won’t inspire followers.
“Instead, security leaders should craft a vision to help the organisation understand why it’s necessary to make changes to the firewall, governance, or other security matters,” Logan adds.
“Explain what’s in it for colleagues and the broader organisation, and create an emotional connection to help people understand what matters to them at work.”