Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Changing the culture.

It’s often not enough to increase the level of security awareness in your organization; you have to change the culture.  Telling someone to secure their files isn’t going to work if they don’t care; telling them why they should care isn’t the same as getting them to care.  (And threatening them with punishment isn’t the same as getting them to care—see how well compliance works when nobody’s auditing?  About as well as the threat of eternal damnation; nobody thinks it’s going to happen to them.)

So how do you do it?

Answer:  slowly and steadily, with a great respect for the inertia that matches the size of the organization.

It usually takes me about two years to make a lasting effect, longer if there’s a lot of staff turnover.  Once I had to bring the concept of 24x7 support to a company’s branch where their pagers didn’t work outside the building and they didn’t have voicemail (the rationale being, if you weren’t at your desk nobody should be bugging you anyway).  When you step into a world that alien, you’ve got to spend time learning the language first, and reassuring them that you come in peace.

Here are some tips for making that sea change:

- First, walk the talk loudly, so that everyone around you can hear it.  Don’t underestimate the power of setting an example (or, in more woo-woo terms, becoming the change you want to see in the world).

- Recruit like-minded individuals, ideally spread throughout the organization.  Each one can be a seed for your nefarious plans.

- Use both humor and bribery, early and often.

- Pace yourself.  There will be a lot of people who don’t like change, or don’t like your particular change.  Wait them out.  If they’re unhappy with you, chances are good that they’re unhappy with other things too, and eventually they’ll move out.

- Be consistent.

- Be visible.

- Be generous.  People are most likely to listen to you when you’re helping them.

- Make sure your management is supporting your change.  You need at least one person above you who can go to bat for you.

- And finally, save the big guns for later in the campaign, if you really have to take out some lingering resistance.  By the time most of the organization has turned, you won’t create as much ill-will when you’ve got to drop the hammer on someone who’s refusing to get with the program.  (In some cases, you won’t even have to use the big guns yourself.)

When you’re a security manager, you have to learn to embrace your inner tortoise.  Don’t worry, you’ll get there.

 

Posted by shrdlu on Friday, August 03, 2007
(3) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: More than a hint of ridiculous.

Previous entry: Defending policy makers.

Comments

LonerVamp United States on 08/03  at  09:29 AM:

Sounds like such a fun game! smile

I’d add:
- Use technological controls whenever possible. While it sucks to make people care, they can tolerate quite a bit as long as it doesn’t negatively impact their job or they don’t have to do anything or make decisions. Just remove it from their view.

-

Scott Wright Canada on 08/07  at  11:19 AM:

Excellent post!  Setting the expectations is the first item of business in organizational change.

While I agree with LonerVamp that you need to leverage technological controls wherever possible, I don’t think you should talk about them too early.  It can make the big picture too complex to discuss.  That’s why I prefer to start with the issues senior management can wrap their minds around - profit, loss, risk, culture, etc.

The best way to leverage the technology is to make sure everyone knows why you are putting it in place and how to get the most from it toward attaining your objectives.

Gary Hinson New Zealand (Aotearoa) on 08/28  at  06:26 PM:

I listen to my inner tortoise alright but, unfortunately, I live in a world where everything has to happen flat-out.  We’re on Internet time, don’t you know.  People want it ‘yesterday’.  Security awareness programs are expected to bring voluminous returns in weeks not months.  The attention span of your average manager is about 20 nanoseconds (on a good day, less if she’s been drinking coffee).  “Strategic planning” in one IT department I worked for involved deciding what to do for the rest of this quarter.  Yes really.

It helps to set appropriate expectations in the first place.  Launching an awareness program with a massive launch-fest at which one or more senior managers are wheeled out to spout off about how exciting this is to be changing the corporate culture for the better, may not be the best idea in the end.  I’ve seen to many big plans go awry within weeks.  Guerilla tactics are an alternative: quietly slip security awareness activities into the plan while distracting management with ‘something shiny’, and don’t forget to include management in your list of awareness target audiences.  Find friends in HR/employee comms/training, Risk Management, Compliance, even Infernal Audit and Health and Safety if you’re desperate, and help each other out (they have many of the same problems).  Make your plans over the long term - my favorite idea is to plan a succession of security awareness “topics” to be delivered month-by-month, keeping things on the boil for longer. 

The BSOFH in me is always looking for “awareness opportunities”.  Security incidents are Good.  Near misses are OK.  Disasters averted are Bad.  Nasty security incidents affecting those who are most resistent to security and security awareness are Best Of All.

G.  zipper

PS I like your writing style.  Nice work.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: