Creating a culture that emphasizes a security-first mindset requires more than just updating the vision statement. HR professionals and people managers know very well that creating a sustainable organizational culture that makes any company vision a reality is a never-ending work in progress.
Simply introducing the vision and values, and creating a sense of buy-in among all employees is one step. Infusing the values into different processes within the business to guide decision-making is another. But actually managing behavioral change so it lasts over time is not a single step or moment in time – it’s an ongoing effort.
Those familiar with change management frameworks understand the complexity involved in sustaining organizational change over time. When it comes building a successful cybersecurity culture, this doesn’t mean you need to map out an elaborate theory of change before you can make an impact. Implementing a couple key tactics with proven effectiveness can get you started quickly, and you can measure and adjust as you go to ensure continued progress.
Incentives and rewards
Truly embedding security into everything your company does requires overcoming challenges created by conflicts of interest. Employees are usually motivated to make decisions based on achieving targets, closing a deal, or meeting a deadline. But at times this could promote behavior in conflict with operating securely. When faced with a choice between the two, they are more likely to act in support of hitting the goals they’re measured against. The opportunity is to provide an alternate motivation for security-first behavior that modifies they choice they are more inclined to make. By incentivizing and rewarding employees for demonstrating secure behaviors, such as reporting a suspicious email to IT, the forces guiding decision-making can shift over time until they become habit.
Use of gamification to improve cybersecurity performance is becoming more common as the benefits are better understood. But the power of this technique inside the workplace by HR teams has already extended beyond training users in problem solving, to a tool for engagement. Gamification uses elements of play and competition and applies them to real-world processes. Employing gaming programs that test employees on their knowledge of breach risks and cybersecurity best practices provides education and training with higher rates of engagement and effectiveness than traditional methods. Competition among teams and rewards for high performers also contribute to greater participation and longer-term impacts to behavior change.
Everyone copes with change in different ways. In the early stages after introducing something new, it’s critical to provide opportunities for people to respond. Initial success in getting the changes to take hold depend on creating space for staff to react and opening channels for them to share feedback. Knowing that employees will process what’s happening at different rates and have a variety of comfort levels in coming forward with their reaction, build multiple communication conduits. This could include quarterly town-hall style forums with leadership, an annual employee survey, weekly sign-ups for one-on-one meetings, ongoing anonymous comment submissions, or regular online group chat sessions.
Building a culture of security isn’t a one-time event. It requires ongoing dedication and continuous improvement. But don’t be daunted by the never-ending nature of change management. Start with small steps you can implement quickly, expanding over time as you test and learn what works best with your teams. Sustaining an organizational culture that will last is a matter of continuing to put in the work over time and finding ways to keep it fun.
Tactics for Managing Behavioral Change that will Last
Once you’ve introduced the values and vision for your culture of security, it’s critical to continue putting in the work to maintain it. This requires a long-term commitment and ongoing effort. Start with these three strategies to help manage behavioral change over time.