The call is coming from inside the house! By 2025 it’s predicted that our employees will be responsible for over half of the significant cybersecurity incidents in our organizations. Yikes. As the digital landscape evolves and becomes more complex, employees are continuing to fall victim to phishing emails, social engineering attacks, compromised credentials, and ransomware. Developing and deploying effective cybersecurity strategies that employees will actually follow is an imperative for organizations of all sizes!
Peter Drucker famously said, “Culture eats strategy for breakfast,” meaning that the company’s culture determines its direction, regardless of how effective the strategy may be. This is particularly true when it comes to cybersecurity strategies. Employees will either be the first line of defense or a potential vulnerability. They need to be educated, engaged, and motivated to adopt and sustain cybersecurity risk mitigation tactics in their daily activities.
Cybersecurity Innovation Through OCM
Organizational Change Management (OCM) provides a deliberate and comprehensive approach to align cybersecurity strategies with workplace culture. Employees not only will operationalize the cybersecurity strategies but also will reinforce and sustain them by creating a culture of security.
Below are a six examples of how Organizational Change Management can be used to drive the people side of cybersecurity strategies.
“Information security hinges on the effectiveness of the change management process.”
– The U.S. Department of Defense
1. Align to a Shared Security Vision
Successful organizational change begins with a clear vision, and cybersecurity is no different. Conduct cybersecurity audits to evaluate the strengths and limitations of your workforce’s current cybersecurity competencies. Set a measurable goal for an improved future state. Document the vision clearly and include why cybersecurity is so critical given the constantly evolving cybersecurity threat landscape. A shared vision is powerful because it:
- Aligns cybersecurity performance goals to the organization’s business strategy and priorities.
- Aligns leadership to the vision so they can support and champion the change with employees.
- Provides focus and consistency of messaging.
2. Understand the Influencers and the Impacted
It is important to understand who will influence the success of the cybersecurity vision. Are some stakeholders more influential than others? Do leaders have competing priorities? Is there a way to embed cybersecurity into other initiatives that are underway? Who will need to adopt and champion cybersecurity policies and procedures? A stakeholder plan is a thoughtful way to consider these questions. Once you know the stakeholders, you can:
- Identify their level of support or resistance.
- Create a plan for active and specific two-way engagement and communications.
- Enlist their support.
3. Communicate Cybersecurity Strategies Early, Clearly, and Often
Cybersecurity may seem like a no-brainer to technology leaders. But front-line employees may not understand the devastating impact of their actions – or failures to act. Early communication will build awareness. Clear (and non-technical) communication will support understanding. Repeated communication will ensure the message is heard.
A plan will make communications more efficient. What messages need to be sent to a specific audience? Who are the best people to share the message? How will you prepare leaders? The communication plan can then be used as a framework to craft the messages themselves.
A strong communications plan includes:
- Target audience(s)
- Intended outcomes
- Key messages
- Appropriate medium
- Preferred messenger(s)
4. Document Data Security Policies and Procedures
Chances are your organization already has a data security policy. Is it aligned with the future state vision? Do employees know where to find it? Is it accessible? Is it maintained? If you are uncertain of the answers to these questions, it is time to rethink your approach to policies and procedures.
Organizational Change Management best practice: While drafting policies or procedures, show a draft to a sample audience. Ask them:
- Is the policy clear?
- Do they understand why they should perform the procedures or uphold the policy?
- What could get in the way of their ability to perform the procedure or uphold the policy?
Understanding employee barriers to performance and enlisting their help in problem-solving to remove those barriers is a key to long-term adoption.
5. Cultivate a “Security-Conscious” Culture Through Training
“Security-conscious” culture comes to life when training becomes routine behavior.
While it is tempting to have an employee read a policy guide and cross our fingers that it will stick, it is not likely to do so. Instead, successful organizations create an organizational learning strategy that includes:
- Alignment of learning objectives to cybersecurity behaviors on the job.
- Assessment of learning needs by audience.
- Relevant, creative, and engaging training content tailored to audience needs.
- Training for managers on how to champion the training, behaviors to watch for, and coaching on-the-job post-training.
- Measurement plan that extends to behaviors post-training.
6. Plan for Sustainment of Cybersecurity Strategies
Cyber threats constantly and rapidly evolve, and so must your workforce’s response. By having a plan for keeping employees well-informed and up-to-date on the latest threats and defenses, organizations can reduce their vulnerability to attacks. The sustainment plan should:
- Align cybersecurity review and discussion with formal and informal reinforcement such as existing onboarding, training, and performance management programs.
- Create a review, reinforcement, and reward system for employees who support and sustain security-consciousness.
- Determine an ongoing cybersecurity maintenance plan to determine how often the vision, policies, procedures, training, and performance metrics will be updated.
The Future of Cybersecurity
It is an unfortunate truth that cybersecurity incidents have become a constant and growing threat in this digital age. Organizations must adapt to the evolving landscape and manage the changes in front of us. One thing is certain, when your employees are aware of threats and act proactively to mitigate them, your organization becomes more secure.
At CARA, we have experience creating holistic communications, training, and Organizational Change Management solutions designed to foster a culture of security for Fortune 1000 companies. To learn more, let’s connect.
Steve MacGill, Consultant Advisory Board Member, The CARA Group also contributed to this blog.