Are you too perfect to be an effective security manager?

If you're scratching your head about why users are ignoring security policy, maybe it's time to review your mistakes - and share them with people

Ever spend time working on policies, solutions and messages only to be ignored or cast aside? Worse, after spending the time to build a solution, are people simply not responding?

Last month I shared the "pink sticky approach" and why it often backfires and complicates the situation. There is more to the story. I learned about the "pink sticky approach" after keynoting a conference. During an open panel, a woman stood up to ask for help improving compliance with the privacy policy. She described how she used the pink stickies and was confused why it led to less compliance instead of more.

But when we delved a bit deeper, we uncovered that she perfectly adhered to the privacy policy. In fairness, she felt that if she was responsible for the policy, she had an obligation to follow it to the letter. So to those she was judging with the pink stickies, she was "perfect."

After listening, I asked a simple question, "Did you always follow the policy?" Her answer was expected: No, she didn't. So I asked her if she had an "aha" moment where it came clear and she changed her ways. She did. Then I asked if she had shared that moment with others. She had not.

That was her opportunity missed.

If she had shared her own experience as an example, she would likely have connected with those she served. This connection makes her human in their eyes and allows them to draw on her experiences to shape their actions. After all, no one is perfect, and we tend to respond different to each other on human levels.

Here is why hiding mistakes and "aha moments" backfires: The perception people form of the perfection of those designing the solution works against intention. Simply stated, if we appear to have no flaws when presenting the message, we sacrifice authenticity and the ability to connect.

We are approaching a time where people want to take back responsibility, but they may not know how. If we show them the way at work, we win. It's not about inflicting pain. It's about moving people closer to the consequences of their actions and then being there to engage them in conversation. In the process we learn, they learn and we figure out how to grow.

The mistake is to think we're smarter or know more. We don't. We have a different experience. So we have to engage. 1. Admit our mistakes and share our experiences, including our "aha moments." This allows people to understand how we learned and possibly influence their learning. Create a safe environment for people to share their experiences. Change is scary; we need to make it safe for people not only to try something new or different, but also to share those experiences. The benefit of this approach serves the individual, as well as others they interact with. Share with authenticity: It's not about being perfect, but being human and finding ways to learn, work and advance together.

Three things we can do:

2.

3.

Michael Santarcangelo is the author of Into the Breach and creator of Awareness that Works. Learn more at www.securitycatalyst.com or engage with him on twitter.com/catalyst.

Join the discussion
Be the first to comment on this article. Our Commenting Policies