How CISOs can drive the security narrative

If you want people to follow proper security practices, they need to understand why. That's best done by telling a good story.

storytelling primary
Thinkstock

An eternal discussion in security is whether technology, process or people are the critical element in information security at scale. Most security leaders will tell you it’s the people that matter. Changing people's behavior to care about security practices requires more than simply taking poor practices off the table. It requires new positive habits and motivations. People connect with stories, and the brain naturally synthesizes the journey of a story with people's own experiences and relationships.

The sales conundrum: When training and communication don’t change behavior

Some of the audiences that most struggle with security practices use narrative in their own businesses every day. As a leader in a consulting organization, several years back I came up against that eternal challenge of data protection: sales. Our policy specified certain ways of handling account information: where to store it, how long to hold on to business contacts, standards-provided locations. There were tools aplenty and email and training. Yet we showed signs of the same risky behaviors. What gives?

Our team failed to provide the motivation of change; we failed to think about this as people. Could people understand how the parts made for their success in the job? Could they understand the reason to start a move in the direction we wanted them to go – the nudge that got them going?

In short, we had to drive the narrative. A story of change has a beginning, a reason to get moving, and a motivation to keep moving despite opposing forces (which I will talk about in a minute). Can your team tell the story? Have you told your people the story for their role, their division, their customers or outcomes?

Change requires confidence, capability and competence. Start building those things by driving the narrative that long time employees can buy into.

To continue reading this article register now

Microsoft's very bad year for security: A timeline