The Odyssey of Cybersecurity Culture In the vast annals of history, tales of heroes and their epic voyages have captivated us. Today, our journey...
The Princess Bride: Security Culture Runs Deep
In Rob Reiner’s masterpiece, The Princess Bride, Vizzini distinguishes himself by repeatedly denying that the events ultimately leading to his death are actually happening. Vizzini, (played by Shawn Wallace), is a genius with a long, distinguished reputation for being the smartest person in the room…hell, on the planet! He has been getting things right when others have been hopelessly wrong for decades.
His decidedly less intelligent, more humble companions, however, seem to immediately appreciate the unfolding events much more accurately than he. “Inconceivable!” Vizzini shouts again. Finally, Inigo, (Mandy Patinkin), offers a gentle, polite challenge in a heavy Spanish accent, “You keep using that word. I do not think it means what you think it means.” Eventually, the inconceivable events catch up to Vizzini and he is killed. At least he dies while laughing as he’s convinced he’s just cheated the moment of death instead of walking straight into it.
Vizzini’s use of “Inconceivable” always reminds me of the use of the word “culture” in corporate settings today. Particularly when it’s used to talk about creating a cyber security culture or information security culture.
Ever since Peter Drucker started talking about culture as a key element to corporate success in the late 1900s, “getting culture right” has been on the leadership agenda. And yet, very few business leaders I’ve ever met seem to really understand what culture is, how it evolves and how to go about changing it. When it comes to culture change, leaders tend to all default to a single way of achieving it. The standard, not-all-that successful, over-relied-upon formula for culture change is:
TOP DOWN MANDATE FROM EXECUTIVE LEADERSHIP + CLEAR POLICY SUPPORT + CONTINUAL COMMS OF CATCHY SLOGAN = CULTURE CHANGE….SOMETIMES ???
You can forgive cyber security leadership for relying more heavily than most on this top-down formula. Much of the culture of the cyber security professional community is a hand-me-down from military and law enforcement culture that shaped the early careers of many in cyber security leadership positions.
In those highly-esteemed, professional communities, top-down leadership and strict governance work. Subordinates are recruited, trained and promoted largely on the basis of their willingness to follow orders with precision. Top-down change initiation and execution work quite effectively when you have people who are predisposed to follow top-down directions.
But most corporations don’t hire for process-discipline orientation as a top priority.
In fact, corporations have recently been trying to seed and stimulate diversity and innovation wherever they can. There has been a fundamental recognition that people are creative. And if you hire people who are experienced and skilled in a certain area and diversely creative to boot, you can derive value from allowing them the freedom to change things up. What you end up with when you hire that way for a while is a group of individuals who feel more entitled to discount and even challenge top-down mandates and plot their own course. Those individual courses are shaped much more by the culture people bring with them to the party as opposed to the culture of the company they are joining. (For more on how we use autonomy as a central part of our learning experience click here)
Accordingly, it’s far more difficult to influence a person’s behaviour to change by top-down organisational governance if elements of that governance, or the approach of a compliance initiative, conflict with the basic cultural norms instilled in an individual during childhood. Our parents and/or early caregivers invest in our values, habits and we live through other experiences that shape our internal compass, long before we ever pledge our allegiance to our first employee handbook.
Although establishing strong corporate governance is a powerful tool to organise, it has proven to be less and less effective at shaping culture as the diversity and innovation agendas have grown in strength. And that was before the lockdown ushered in a new era of working from home.
Effective cyber security hasn’t been only about behaviour in the office for a long time. We’ve been living in a growing state of always-on, everything-connected for well over two decades now. What staff do online out of traditional business hours and when outside traditional office spaces, has had an increasing impact on the susceptibility of their organisation as laptops, mobile phones, software as a service and social media have all become more pervasive? It’s not hard to imagine the different work environments that each individual in a company now has as we have been pushed to work from home. The unique physical environment is also matched with an equally unique set of cultural influences.
How do you create a culture of information security amongst your staff that not only influences behaviour in the office but everywhere else too? It’s not a new question for cyber security, but it’s critical to answer it better than organizations have to date. The intersections between family activities and work devices or work e-mails and personal devices are too many to ignore. I think most people would agree that extending the scope and detail of organisational governance to dictate behaviour 24x7x365 for all their employees everywhere is not reasonable, nor would it be received favourably if it were even legal.
In other words, the standard, not-all-that successful, completely over-relied-upon formula for culture change is going to be even less effective now than it was before.
LESSONS FROM MARKETING SCIENCE
Marketing and advertising science can offer clues as to where we go next in terms of compelling people to change their behaviours to be more cyber safe. When they want to change someone’s behaviour, usually to compel them to buy more, switch a brand or sign up for a service, they tailor their message to their target demographic. They learn all about the needs, interests, desires, fears and trigger phrases that compel different demographic to act. Then they shape their messaging to hit all those hot buttons per demographic.
This may sound like a lot of work. But there is good news.
- First, retailers, marketing firms, brand scientists and social scientists have been doing this kind of sub-culture typing for decades and there is a lot of data out there about how to shape your messaging to influence people with certain cultural preferences.
- Second, like tends to hire like. So the variations of different cultural sub-groups within your organisation will be limited, even if people are working from home and spending less time contributing to the strengthening of the overall corporate culture.
DIFFERENT STROKES FOR DIFFERENT FOLKS
For those people in your organisation that respond well to warnings about future problems and react to a top-down call to arms to defend the perimeter against the invading hacking, hordes have been reached. They’re all good. There is enormous conformity amongst cyber security messaging to date, all relying on warning of negative consequences at both an individual level and corporate level if certain behaviours are not observed. Not surprisingly, the cyber security community tends to produce compliance and awareness programmes that would work for them.
If you’ve ever attended a ‘traditional’ cyber security awareness training session, you can immediately feel the oppressive weight of that top-down emphasis.
Marketing science has shown time and again that actually, lots of people respond to positively toned messaging more than negatively toned messaging. Particularly if the message is repeated. What’s more, different sub-cultures within your organisation will respond to different messaging styles better or worse, turning them in or turning them off to the message content to differing degrees.
In order to get a compliance programme tailored to have the maximum impact across your company’s various sub-cultures, the following steps are required as a minimum:
- Define the various subcultures within your organisation
- Characterise the learning & leadership style preferences of each
- Tailor your comms, learning materials and behaviour change incentives to the learning & leadership style preferences per subculture
The process of defining subcultures within a company is actually fairly painless. It used to be that culture surveys involved hundreds of questions that would take the better part of a morning for employees to work through. But that was decades ago. In the 50 years that social science has been examining culture in the workplace, the data collection method has been refined.
A 30-minute commitment from staff is all that is required to get the data required to achieve dramatic insight into how various subcultures have evolved and taken root in a company and how to best approach groups of people to effect change. (for more information on how our human baseline and cyber pulse surveys can help you come to grips with your digital tribes and compliance subcultures, click here)
So as we embark on our “new normal”, partly in office, partly at home, maybe back on the road someday… we will need a new approach to establishing the behaviours required to keep us cyber safe.
If we are smart, we’ll start to take chances on employing new ways to reach and connect with our now more-dispersed audiences.
Which path will you choose? Will you double down on the old, standard, top-down methods, like the rather inebriated Inigo as he barricades himself in the Thieves’ Forest waiting in vain for Vizzini to return and provide him with orders? Or will you let that creativity fly, and embrace the possibilities of doing something different?
You can dare to dream, and survive the evils of the fire swamp, ROUS, and the other perils of cyber security if you put some heart into your culture and help to make it thrive.
How do you find true love?
We’re here to be the miracle max to your entire awareness program, and yes, the chocolate coating does make it go down easier.
SOME ADDITIONAL INFORMATION YOU SHOULD, WELL, BE AWARE OF
Just because you have an audit, you don’t have to put your staff through the sucking machine from the princess bride. We promise, there is a better way.