Compliance vs Behavioural Change – How to win over your board19 September 2018
The exec has decided (and the board has concurred): next up on your ‘to do’ list, just moments after you’ve put that hesitant tick against GDPR, is… ISO 270001.
Or PCI-DSS. Or COBIT. Or NIST SP 800-53.
Or any one of a plethora of industry-specific information security compliance frameworks.
There’s no doubt the compliance industry has been working in overdrive this last decade, doing their bit to keep global GDP levels up. Bookshelf-makers and soft-bound manual printers of the world rejoice! But, joking aside, there are significant benefits for those organisations fully and visibly committing to comply with such standards.
It’s excellent news that the board are buying into your message. And at the very least, compliance with an external framework is going to offer a firm guide along the path towards an improved information security stance.
But many a hard-pressed CISO – compliance or not – will find it hard to suppress that nagging voice.
“How much safer will this actually make us?”
“Are we really achieving any behavioural change here?”
Those nagging questions arise due to a lack of hard evidence demonstrating that time and monies spent on compliance have produced the improved outcomes of sustained behavioural change.
Burnishing those badges
So, why are boards inclined to give the nod for compliance-based frameworks?
At least part of the answer may lie with ‘badge envy’. It can’t escape notice that boards are rather partial to measures that show them doing well against their peers. And rather more than a little agitated to find themselves lagging behind the pack.
The great thing about achieving audited compliance is that an overt message is sent to everyone else in your sector.
“We’re the good guys, the adults in the room. We have achieved this badge of honour from a recognised body. How about you?”
You can also open up substantial new lines of business, especially with the state sector’s more tightly bound procurement policies.
Compliance also has the advantage of tackling a big pile of ‘known unknowns’ – requiring us to address the fact that we don’t always understand the coverage, use and efficacy of the controls we already have in place.
At the very least, we’re vastly improving our knowledge and grasp of the information protection systems that we have accrued – piece-by-piece, department-by-department, CISO-by-CISO – within our organisations. The benefit of undertaking such an inventory can easily be underestimated.
Then there’s the intrinsic merit of the process itself. If properly followed, achieving compliance can help kickstart behavioural change – especially when looked at the organisational level. Corporate governance structures, controls and processes are assessed and improved. Weaknesses can be discovered and strengthened.
Compliance as a strategic objective also gives heft to a raft of other IT changes within your organisation. You are able to say: ‘we need to do this to become compliant’. Suddenly, once-critical projects that have become atrophied gain new life. Now there is the resource available – and the political will to change things – if it shifts the needle towards compliance.
Compliance attained = behavioural change sustained?
That badge of honour may be very useful for the organisation as a whole, but where does that leave the more fundamental concern of individual behaviour? Does the drive for compliance in fact damage the goal of improving behaviours?
Because compliance can come at a price.
The corporate world is already compliance-heavy and increasingly ring-fenced, whether by statutory regulations and voluntary standards. Achieving compliance with this multitude of regimes, and then maintaining that compliance, involves significant costs.
The workload doesn’t just fall on the change management and governance professionals tasked with bringing an organisation up to spec. The costs are also born by change-weary employees.
Introducing another compliance programme, with additional controls and requirements of your employees, can take individuals beyond their ‘compliance budget’. They begin to see everything – the campaigns, training and processes – all as tick-box requirements.
What is intended as a positive change then becomes distorted, subverted and worked around. Ultimately, compliance may be achieved at the cost of introducing new risks, especially if the overarching message received is simply ‘to achieve compliance’.
The danger here is that everything related to compliance becomes a box to tick. And behavioural change, for individuals, may be dead in the water – or even heading in the wrong direction.
So how do you ensure that compliance sign-off doesn’t become another change programme write-off?
Bringing in some culture
It comes down to more than just ’compliance versus behavioural change’. What we’re really talking about here is ’strategy versus culture’. How the logical, rational cortex of the organisation can achieve its goals in the unpredictable, emotional ‘limbic system’ of its people.
Compliance frameworks, working within the world of strategic business goals, can only push people so far up the maturity curve. Real and meaningful behavioural change is sustained when strategy learns where its remit ends and that of culture takes over.
How different would campaigns sound to employees if the message was that their behavioural change will result in the company being recognised as compliant, instead of being a list of requirements in order to achieve compliance?
You could create and maintain a cultural mentality of development and reward rather than just of ticking boxes.
That means engaging with values, attitudes and motives. Providing skills, communicating the vision and demonstrating conviction. Most of all listening to your people closely, addressing their concerns and providing the right support.
So, congratulate the board for taking those bold initial steps with a push for compliance. But remind them that, if those steps to take the organisation in the right direction, the board need to commit the whole way.
No-one wants to see that box unticked, or have their taken away.