Recognizing the People Element in Data Security Implementations

Implementing information security technology and creating related policies is relatively easy. Getting the organization to better manage risks through the use of that technology and embrace those policies is quite a bit harder.

In a recent survey by ESI ThoughtLab, co-sponsored by Protiviti, untrained staff was seen as the greatest cyber threat by businesses because it can provide a conduit for outside hackers. In a related finding, user behavior analytics (detecting risky user behavior) was projected to grow 1,700 percent over the next two years. These findings confirm what we as cybersecurity and change management professionals know too well – that employee awareness, obtained in equal measures through training and communication, is crucially important to a company’s cybersecurity efforts.

As an example, a financial services executive recently lamented over lunch about a data loss prevention tool that created a firestorm on the business side when it was implemented. The monitoring system in question restricted the distribution of personally identifiable information outside the company via email, which caused a significant disruption in claims processing and human resources. The company put the cart before the horse, buying and installing the new technology without first engaging the individuals and business units likely to be affected by the change or making them aware of the need for the tool and the new required process. As a result, IT had to throttle down the system, severely handicapping its functionality, to accommodate business needs.

We hear stories like this all the time, from executives at companies large and small. The good news is that such self-inflicted wounds are largely avoidable with better communication and a structured change management plan.

A good place to start would be setting aside any preconception of users as an obstacle. Most people are willing to embrace change as long as they are made to feel vested in the process and understand how the change will benefit them personally. Good communication begins with an assessment of user needs and should include the following steps:

  • Identify the security risk
  • Explain that the change is needed to better manage that risk
  • Describe the desired outcome
  • Invite the user into the process
  • Reveal how the change will affect their job
  • Provide acceptable alternatives to existing insecure processes

A security-aware organization is critical to any security initiative. Some organizations have established Business Information Security Officers (BISO) or other security personnel devoted solely to user adoption strategy. The skill set for this position requires understanding of cybersecurity, how the business operates, and the impact of the human element, and bridging these three aspects to successfully implement initiatives. This combination of skills is not easy to find, considering that a 2016 skills gap analysis by ISACA placed the shortage of cybersecurity professionals at two million by 2019.

Regardless of who spearheads security change management, long-term, sustainable success is going to require communication with, and buy-in from, business-side allies. That communication needs to be circular, with feedback loops on key metrics to keep senior management informed on progress and outcomes.

Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation to digital initiatives. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead.

Andrew Retrum

Managing Director
Security and Privacy

Kathie Topel

Director
Business Process Improvement

Subscribe to Topics

#Healthcare organizations can unlock cost efficiencies, enhance agility, and catalyze innovation while safeguarding patient data and remaining compliant by embracing hybrid architecture and cloud migration. https://ow.ly/4ZZy50QSCU4 #ProtivitiTech

#Microsoft Copilot helps people be more productive, supports creativity and saves time. Check out our Technology Insights Blog for help on building a business case to add Microsoft Copilot to your digital toolbox. https://ow.ly/9tOA50QSBNz #ProtivitiTech

The time to upgrade #SAP BusinessObjects is now! Discover the ways SAP is streamlining its application in our latest Technology Insights Blog post: https://ow.ly/cxcV50QSBlE #ProtivitiTech

When responding to a #cyberattack, it’s essential for leaders to know what they should do in this critical situation. #ProtivitiTech's Kim Bozzella shares what mistakes to avoid with #Forbes #Technology Council. https://ow.ly/MlmV50QThH5

In honor of #WomensHistoryMonth, Protiviti's Dusty Anderson will join CyberArk's Women in Security panel on March 20. The LinkedIn live will cover the panelists' careers, advice for #WomenInTech, and strategies for overcoming industry biases. https://ow.ly/kS5L50QRObC

Load More