As security leaders, what if we could show the business that the things we care about and the things they care about are the same? Things like doing the work they love, making a difference to someone, protecting the reputation of the business and heading home to their families at the end of the day feeling comfortable in the knowledge their effort has made a difference. Fundamentally, they are made of the same things that we are – they are just at a different stage on the security journey with a different attitude to risk when it comes to achieving common business goals.
What if we could begin to talk the same language when it comes to the things we care about? To do this, think carefully about the process of learning a new language…we can’t learn Spanish by only driving past billboards and reading newspaper headlines, right? In the same way, when it comes to talking about security and how to be more secure, we can’t rely on generic group announcements to speak to every employee/contractor/network user. Broad business communications (i.e. posters, all-staff emails, online modules) do remind those who read them that action needs to be taken by 'everyone', but they don’t show people how to change their behaviour in the same way a role model can. Staff at all levels of the organisation can show people how to connect with more secure behaviours and be clear on the impact of these actions on the business.
You might see some of your peers in the business as already committed to security (which is great btw) but are they working with others to change their behaviour? What if we stop trying to influence everyone’s behaviour at once with broadcasts about everyone taking responsibility? What if we chose to influence and inspire one person at a time. You don’t need a billboard for that, just a simple, regular 1:1 conversation…even (if at first) an uncomfortable or awkward one. As you speak to people around the business, ask them to tell one other person about your conversations…..when a few people around the table begin to discuss and display secure behaviours without prompting, it won’t go unnoticed. If anything, hopefully it will raise more questions to be discussed and eventually they become fluent. If you have found that broad communications haven’t worked in the past to influence staff behaviour, could we better communicate our call to action face-to-face, one-to-one, in common terms?