We would all love working for a company that is easy-going and allows us to do pretty much whatever we want, whenever we want. The reality is though, companies that are overly lax and have a lack of security controls are easy targets for hackers.
Changing the security culture of your company is not an easy task. Here are 5 ways to help ease the change:
1. Communicate Proactively and Effectively
Let your employees know about the security changes before they are implemented. Provide as much detail as possible, but don’t overwhelm them with “techy” wording - make it clear and easy for everyone to read. Identify and communicate the “5 w’s”- who, what, when, where and why. Really focus on the “why” and the reasoning behind the change. Change in general is often difficult for many. It can be especially hard for long-time employees who have been performing the same poor security practices year after year. Providing a general understanding of the reasoning behind the change can go a long way.
2. Make it about Them.
Let’s face it. Many employees couldn’t care less about the security health of their organization. What they don’t realize is that their actions could cause a major security incident, bring the company crashing down, and leave them without a paycheck - searching for a new job. When talking security, make sure they’re aware of the impact their actions have not only on the company but themselves.
3. Listen and Request Feedback
Be open and available for employees to voice their concerns. There are times when increased security can make tasks take longer and put strains on productivity. Just because a new security control is put into place, doesn’t mean it is set in stone and can’t be adjusted. Let your employees know you want to hear their concerns and you’re willing to make adjustments if possible.
4. Get Leadership Support
It’s important to make sure the leadership teams are on board and are ready to help lead the way. If you have a lack of support from the top it’s really hard to make everyone else see the value. First, target the upper level teams, then let them help you spread the new culture throughout the company.
5. Give It Time
You can’t expect the culture of your company to change overnight. It takes time to change and adapt. Especially for organizations that have been around for a while. Be patient and focus on specific incremental goals.
It’s no secret that information security is not an exciting topic. Many people see it as nothing more than an inconvenience. Make sure to let everyone know you appreciate their willingness to make a difference and their efforts don’t go unnoticed. Reward good security practice – whether it’s a verbal praise or a message sent over the company intranet, reinforce proper security behavior and begin seeing continued improvement.
Need help improving your security culture?