Image Credit: Jo Zimny Photos
On top of everything else that a CIO is being asked to do, we are also in charge of getting the company’s employees to do their part in order to secure the company’s IT assets. It turns out that this is actually trickier than it may initially seem to do. You have to understand who you are dealing with and you need to have a clear vision for what you want them to be doing. Once you know all of this, you’ll need a plan for getting your employees to do the right thing. Oh, and trying to scare them into doing the right thing is probably not the way to go about doing it.
The Problem With Fear
CIOs often turn to a powerful emotion to get employees to be vigilant about cybersecurity. They attempt to scare them. We tell them that if you do this, or don’t do that, something awful will happen. If you click on phishing messages, then the company’s network will be exposed to hackers. If you use a simple password, your personal files will get stolen. There is a problem with this approach: all too often fear doesn’t work. Yes, it may get people to act in that moment. However scare tactics don’t get workers invested in security over the long term.
In fact, what CIOs are discovering is that it can do the opposite. This is because fear can leave employees in a constant state of anxiety, which will make them unable to think clearly about threats. At the same time such heavy-handed, scare messaging can make your employees disgruntled and uninterested in security, thinking that the threats are exaggerated – and that the CIO does not trust them to do the right thing. But have no fear yourself. Although scaring your employees may not be an effective way to keep them vigilant, the good news is that there are other tools that do work. Before we look at them, let us first dig deeper into why fear doesn’t work.
CIOs need to understand that fear is a short-term emotion. There is no question that using fear can work to get workers to perform a one-off action, like installing antivirus software. But long-term behaviors are where your real problems come in – and long-term vigilance is the ultimately real point of any cybersecurity program. After an initial surge, the fear will wear off and convert to an underlying state of anxiety. This makes people unlikely to commit to frequent actions such as choosing a strong password. A fear-based approach doesn’t encourage genuine watchfulness. Once a worker is in a state of heightened fear or anxiety, their brains are fully occupied in dealing with the emotion. This makes measured and thoughtful action unlikely or impossible.
A Better Solution For Cybersecurity
So, what alternatives to fear do CIOs have? You already know what they are: creativity and trust. If you give employees more leeway and support that works a lot better than infusing their lives with anxiety and creating an aversion to anything having to do with cybersecurity. You can start things off by creating a form of a buddy system. The thing that you don’t want to do is to put people in a room and talk at them for hours about security. Instead, give them a “buddy” who’s there to help them in the office every day to help them carry out the actions that you want them to do. In this system, instead of trying to train everybody who works for you, one employee in each department is appointed to serve as cybersecurity expert. This employee is close by in order to support colleagues day to day, available to answer questions about things like potential phishing messages. If a message does turn out to be a phish, the buddy can warn the rest of his department immediately. Or the buddy could help somebody with a question about how to send files outside the company in a secure way. Not only does everybody get much less stressful support, but they also get the message that cybersecurity isn’t a solo sport but rather a team effort.
Another thing that a CIO can do is to provide workers with adequate resources. Instead of relying on workers to take multiple complex steps to ensure their security, instead give them tools that can help them or automate the job entirely. A good example of this is if you want people to have strong passwords, give them a password manager. It can both generate passwords for them and remember those passwords. Alternatively if you want people to spot phishing messages, put a messaging system in place to warn everyone immediately when you discover that your organization is being targeted – as opposed to alerting by email, which could go unread for hours. The first person to spot the message has the responsibility to let everyone else know. What’s more, this alert can also explain how to spot similar messages in the future. Your entire workforce gets trained on the spot and will gain confidence in spotting phishing messages instead of living in a state of fear that they are going to click on something by accident.
Finally, CIOs can remove obstacles for their workers. A lot of the fear-based cybersecurity messages that we use involve telling workers what tools they can’t use in the office. Instead of banning such tools, CIOs should figure out how those tools can be used securely and effectively in the office. A good example of this is that many companies forbid the use of USB memory sticks. At the same time, they don’t provide a good way for people to transfer files to workers that they are collaborating with. When workers improvise – such as emailing the files to other people – they end up putting the information at risk. It is far better to issue encrypted memory sticks that authenticate using fingerprints. You need to realize that it is more expensive than banning the use of memory sticks in general, but it is probably better to spend a bit more to get actual protection, instead of engaging in so-called “security theater” where you think that banning every possible insecure action is going to work.
What All Of This Means For You
CIOs, perhaps more than anyone else, realize that cybersecurity is everyone’s job. The way that a lot of us have been going about trying to make our companies more secure by trying to scare our workers into doing the right thing only seems to work in the short term. What we really want is a long term solution and it looks like fear is not going to make that happen.
CIOs need to understand that when we use fear to motivate our employees it will probably not work and it will just end up making them anxious. A much better way is to go about using creativity and trust. CIOs can implement a buddy system where a single employee becomes the reference for a department in order to implement better security practices. CIOs also have to be willing to make the investment in order to provide their employees with adequate resources so that they don’t put data at risk by trying to do foolish things. CIOs are also responsible for removing any security obstacles that may be hindering their employees. If we make cybersecurity easy, then everyone will do it correctly.
CIOs have to understand that the idea is to work with your employees rather than against them. We realize that there is no short-term solution to the cybersecurity conundrum. Instead, we have to play the long game and find a better way – treating our employees with respect and dignity, and not as the problem, but as part of the solution.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: How can CIOs measure if their employees are adopting safe computing practices?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!