he last 15 years have brought a lifetime of changes in information security. The protection of information has never been more important or challenging. Companies must find ways to create flexible yet secure organizations prepared to meet increasing security challenges.
The good news is that a cost-effective solution is close by. It's people. By embedding secure practices in every employee and including security in each facet of the business, organizations have a powerful solution for building a well-defended company.
It starts with the security organization. Traditionally, information security groups have focused on deploying technologies to address the threat of malicious activity. However, the most secure companies are also focusing their security efforts toward the employees and others who may unintentionally put data at risk.
But changing behavior requires communication that is open, honest and based on data rather than fear. It also requires dialogue that enables employees to understand how security – or the lack of it – impacts them personally.
Communication skills are often not the expertise of information security professionals. Nevertheless, if security organizations are to be effective in motivating employees to change behavior, they must expand their skill sets to include communication. The most successful information security organizations start by listening to what each business unit needs – what their problems are, what their strategy is, and what their future direction involves. The first few meetings are opportunities for the business units to speak candidly about their operations, as well as about how they perceive the security organization. The discussions may involve more than a little RTT, or rotten tomato talk, directed toward security issues, and the most effective security teams respond by acknowledging their shortcomings.
Just as honest communication is an essential component of motivation, so is data. Many security organizations have used fear as a tactic to motivate individuals. While fear may motivate for an instance, it almost always has a negative impact over time, and may ultimately destroy the organization's credibility.
Using facts from reputable sources to help justify security activities and recommendations is very effective in driving behavioral changes. These sources might include appropriate metrics from data generated by internal or customer sensors. They might also include reports on laptop losses. By providing such metrics, employees begin to understand that it is not fear or paranoia that is driving security initiatives, but actual attacks and security incidents.
Motivating employees to practice safe computing is most often accomplished when these individuals understand the potential impact on them of poor security habits, as well as safe computing practices.
A growing number of consumers and businesses have already experienced a serious data breach. But these devastating events can be leveraged to make security a pressing and personal concern for employees and others. As individuals begin to perceive security practices as an essential tool that could protect their own interests, as well as their company's assets, they are more likely to take necessary steps to keep their information safe.
By communicating openly, providing data and personalizing their message, information security organizations will lead the change that their companies need. With every employee in every business unit following the computing practices that will help keep the company safe, this well-equipped, vigilant, highly motivated workforce will create a protection system that permeates the entire enterprise and will safeguard the company now and in the future.