6 reasons your behavioural change plan failed15 July 2019
Or…why behavioural change plans fail to engage and inspire change with your employees.
The best laid plans never survive contact with the enemy – so says the military man. Of course, a behavioural change plan for transforming your security culture starts from an altogether more positive place.
After all, your staff aren’t your enemy (and if you think they are, then you really are building failure into your plan from the outset).
But the basic premise stands. Once acquainted, plans and reality quickly fall out with one another. An adaptive mindset is critical for success. So, let’s keep it real, and look at why behavioural change goes awry with some practical examples.
And given we’ll be working through six common failings that can be flipped into success, let’s make it reality on steroids – six failings over six days for a working week from hell for the hard-pressed CISO that may be closer to the truth than is comfortable for some…
Day 1: Forgetting to bring along a map
You’ve decided to make a hooded hacker the focus of a comms campaign. A threat actor that everyone recognises, cliché or not. The design’s back and everyone loves it. You’re getting ready to roll the campaign materials together.
Then your CIO, who’s shown no interest to this point, drops a bombshell – she hates that hooded character at the centrepiece of your comms campaign. “It’s all a bit clichéd?” she says. “Can’t you come up with something more original.”
A lack of engagement rarely ends well. What has happened here is that someone – the CIO – who had a lot of influence in your campaign but apparently not much interest, decided they did have an interest after all. They went from being an influential observer to a key player. And what galls is that she might just have a point.
It is critical is to understand your stakeholders, touch base with them regularly, and show them the route you’re taking early on.
Look out for the personal politics and try and flush out potential conflicts as soon as you can. For bigger change programmes, we find stakeholder mapping exercises, perhaps as part of a scoping workshop, are a really good way to capture (and track) all those with an interest.
Day 2: Doing eLearning by numbers
The latest completion figures for your eLearning are in, and they are heading south faster than geese in November.
You’re being asked to dangle carrots (or to softly wield sticks) to get those completion rates up. How else are you going to be able to show that your training is working?
The errors on this are two-fold. First, why are training completion rates being used to track progress at all? Outcomes, not bums on seats, are what really matter for behaviour changed. Look to the metrics that matter. Secondly, being distracted by numbers. The low completion rates are just a symptom of a bigger problem.
Look at outcomes and the relevant metrics.
Maybe the problem is the course. Lower completion rates could mean your eLearning is becoming stale or is too broad. Look not only to refresh, but also to sharpen focus. Adults learn best when the learning outcomes are relatable and kept to a minimum – three being the magic number.
Day 3: Not listening to your users colleagues
Not long ago, a lost USB flash-drive and an embarrassing data breach produced a command from the top – “Ban USB sticks!”
Luckily, a policy document on removeable media was ready to hand.
Unluckily, it was a one-size-fits-all affair that didn’t take into account a critical group of engineers. They needed to share large (and sensitive) data files with third parties when they’re off the corporate network. With USBs banned, they’re using cloud sharing sites on their personal phones instead. An advance in security it is not.
The rush for action can cause unexpected reactions, especially if conversation with your colleagues is lacking. ‘Solutions’ pushed on them without proper consultation risk the adoption of less secure workarounds.
The key here is less haste, more speed. Take time to consult widely and look to work real-world practices into policy from the start.
That way, your push towards security progress will have the minimum of friction.
Day 4: Running face-to-face training without the focus
We’re past midweek, but training feedback has us on the back foot. It’s from the face-to-face sessions for your high-risk users (or as I’m sure they’d prefer, your ‘high-value colleagues’). The comments from the F2F training feedback forms are less than complimentary:
‘They didn’t say anything that was useful for us, so I turned off’ … ‘The trainer just talked at us’ … ‘It was all cyber-this, cyber-that – mumbo-jumbo to me’ …
The problem here is that someone forgot to make the training relevant and personal to the trainees. Stock, off-the-shelf approaches will fail to engage.
Ensure trainers understand the audience, their issues and their motivation.
Get hold of the information your L&D department has gathered and use it to shape the training to the audience. Remember to listen. This can be as simple as chatting to your users or using focus groups to honestly appraise awareness gaps and training needs.
Day 5: Malnourishing your change champions network
OK, it’s now Friday in our hypothetical week, so things should be getting easier, right? Wrong. It turns out your champions are revolting. Pitchforks are being brandished.
That’s a real problem. Change champions are the frontline of any programme to sustain changes in behaviour. Because they are so pervasive and influential locally, when these guys start to grumble, you could be in real trouble
The dwindling meeting attendance and increasing backchat are worrying signs of a failure to nurture your network. They could also indicate that the initial foundations were a little shaky.
From the start, you need to choose the right people and give them appropriate training. Don’t push them too far outside their comfort zone. Once set up, make sure they’re given regular messaging, comms and support.
And show them some TLC. Alongside regular and visible praise for their efforts, give them goodies to distribute –spinners, pens, mugs, AIGs, or even access to the latest insights from the security team. Little things can really help boost their sense of worth.
Day 6: Not going deep enough with the metrics
It’s Saturday. Working at the weekend can mean only one thing – clearing up a malware mess, brought on by a click-too-far. One of your colleagues has been phished.
Sadly, this was no run-of-the-mill Amazon clone email. It targeted your corporate lawyers who’d attended a recent legal conference. But your ethical phishing campaigns have shown falling click-through rates. How could they still take the bait?
What went wrong here is that your measurements (and training) are too focussed on that initial click. Anyone can be tricked to click. And it’s unlikely your ethical phishing covered the scenario that hooked those lawyers. The sequence of events post-click matters too.
The reality is that, if all it takes is one click to compromise, you need to cast your net wider.
Are people happy to report concerns about possible phishing emails or suspicious links that they’ve clicked? Do they know where and how to report? Are they suitably wary about handing over their credentials? Use your simulated phishes to better understand these and you will almost certainly reduce the potential damage from that initial click-through. You might even be able to go home sooner.
OK, you’ve made it to Sunday and you’re lucky enough to have a day of rest. But don’t put your feet up for too long. Another week beckons and you’ve got a critical meeting scheduled – turning the green light of your behavioural change programme back on.
The problem is that change fatigue has set in. There are simply too many other ‘top priorities’ clamouring for Board approval.
It’s all too easy to become so wrapped up in maturing your security culture that you see all problems through that single prism. But organisations are a blend of cultures and changes to them never happen in isolation.
Success is best made when you have allies, and there are more of these in your organisation than you might think. Whether it’s tied to safety, HR or the digital workplace, there’s a good chance you’ll find a programme with overlapping values, problems and solutions.
Don’t look at these as competitors for scarce resources. See them as opportunities to maximise engagement across your workplace. After all, information security is no stand-alone. It needs weaving deep into your cultural fabric.
That’s what all these failures have in common – they all stem from a lack of collaboration and communication.
So, talk to stakeholders, talk to employees, talk to champions and talk to other teams.
Ultimately, behavioural change in security rests on a process of blending perspectives across the technical, security and business realms.
Learn that fundamental lesson of collaboration and you might earn a week flush with success, rather than fogged with failure.
Want to know more?
TSC’s Consultancy service offers real benefits to CISOs looking to take their inforamtion security programmes to the next level.
Have a look at our Insights and Measurement area, contact firstname.lastname@example.org or call us on +44 (0)1234 708 456.