Changing the culture.
It’s often not enough to increase the level of security awareness in your organization; you have to change the culture. Telling someone to secure their files isn’t going to work if they don’t care; telling them why they should care isn’t the same as getting them to care. (And threatening them with punishment isn’t the same as getting them to care—see how well compliance works when nobody’s auditing? About as well as the threat of eternal damnation; nobody thinks it’s going to happen to them.)
So how do you do it?
Answer: slowly and steadily, with a great respect for the inertia that matches the size of the organization.
It usually takes me about two years to make a lasting effect, longer if there’s a lot of staff turnover. Once I had to bring the concept of 24x7 support to a company’s branch where their pagers didn’t work outside the building and they didn’t have voicemail (the rationale being, if you weren’t at your desk nobody should be bugging you anyway). When you step into a world that alien, you’ve got to spend time learning the language first, and reassuring them that you come in peace.
Here are some tips for making that sea change:
- First, walk the talk loudly, so that everyone around you can hear it. Don’t underestimate the power of setting an example (or, in more woo-woo terms, becoming the change you want to see in the world).
- Recruit like-minded individuals, ideally spread throughout the organization. Each one can be a seed for your nefarious plans.
- Use both humor and bribery, early and often.
- Pace yourself. There will be a lot of people who don’t like change, or don’t like your particular change. Wait them out. If they’re unhappy with you, chances are good that they’re unhappy with other things too, and eventually they’ll move out.
- Be consistent.
- Be visible.
- Be generous. People are most likely to listen to you when you’re helping them.
- Make sure your management is supporting your change. You need at least one person above you who can go to bat for you.
- And finally, save the big guns for later in the campaign, if you really have to take out some lingering resistance. By the time most of the organization has turned, you won’t create as much ill-will when you’ve got to drop the hammer on someone who’s refusing to get with the program. (In some cases, you won’t even have to use the big guns yourself.)
When you’re a security manager, you have to learn to embrace your inner tortoise. Don’t worry, you’ll get there.
Posted by shrdlu on Friday, August 03, 2007
(3) Comments • Permalink •
