Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

3 mins to read

Recognizing the People Element in Data Security Implementations

Andrew Retrum

Managing Director - Technology Risk and Resilience

Kathie Topel

Director

Views
Larger Font
3 minutes to read

Implementing information security technology and creating related policies is relatively easy. Getting the organization to better manage risks through the use of that technology and embrace those policies is quite a bit harder.

In a recent survey by ESI ThoughtLab, co-sponsored by Protiviti, untrained staff was seen as the greatest cyber threat by businesses because it can provide a conduit for outside hackers. In a related finding, user behavior analytics (detecting risky user behavior) was projected to grow 1,700 percent over the next two years. These findings confirm what we as cybersecurity and change management professionals know too well – that employee awareness, obtained in equal measures through training and communication, is crucially important to a company’s cybersecurity efforts.

As an example, a financial services executive recently lamented over lunch about a data loss prevention tool that created a firestorm on the business side when it was implemented. The monitoring system in question restricted the distribution of personally identifiable information outside the company via email, which caused a significant disruption in claims processing and human resources. The company put the cart before the horse, buying and installing the new technology without first engaging the individuals and business units likely to be affected by the change or making them aware of the need for the tool and the new required process. As a result, IT had to throttle down the system, severely handicapping its functionality, to accommodate business needs.

We hear stories like this all the time, from executives at companies large and small. The good news is that such self-inflicted wounds are largely avoidable with better communication and a structured change management plan.

A good place to start would be setting aside any preconception of users as an obstacle. Most people are willing to embrace change as long as they are made to feel vested in the process and understand how the change will benefit them personally. Good communication begins with an assessment of user needs and should include the following steps:

  • Identify the security risk
  • Explain that the change is needed to better manage that risk
  • Describe the desired outcome
  • Invite the user into the process
  • Reveal how the change will affect their job
  • Provide acceptable alternatives to existing insecure processes

A security-aware organization is critical to any security initiative. Some organizations have established Business Information Security Officers (BISO) or other security personnel devoted solely to user adoption strategy. The skill set for this position requires understanding of cybersecurity, how the business operates, and the impact of the human element, and bridging these three aspects to successfully implement initiatives. This combination of skills is not easy to find, considering that a 2016 skills gap analysis by ISACA placed the shortage of cybersecurity professionals at two million by 2019.

Regardless of who spearheads security change management, long-term, sustainable success is going to require communication with, and buy-in from, business-side allies. That communication needs to be circular, with feedback loops on key metrics to keep senior management informed on progress and outcomes.

Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation to digital initiatives. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

Visit Andrew Retrum's profile

Andrew Retrum is a Managing Director within Protiviti’s Technology Consulting Practice and the Global Technology Risk...

Kathie Topel

By Kathie Topel

Verified Expert at Protiviti

Visit Kathie Topel's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...