Recognizing the People Element in Data Security Implementations

Implementing information security technology and creating related policies is relatively easy. Getting the organization to better manage risks through the use of that technology and embrace those policies is quite a bit harder.

In a recent survey by ESI ThoughtLab, co-sponsored by Protiviti, untrained staff was seen as the greatest cyber threat by businesses because it can provide a conduit for outside hackers. In a related finding, user behavior analytics (detecting risky user behavior) was projected to grow 1,700 percent over the next two years. These findings confirm what we as cybersecurity and change management professionals know too well – that employee awareness, obtained in equal measures through training and communication, is crucially important to a company’s cybersecurity efforts.

As an example, a financial services executive recently lamented over lunch about a data loss prevention tool that created a firestorm on the business side when it was implemented. The monitoring system in question restricted the distribution of personally identifiable information outside the company via email, which caused a significant disruption in claims processing and human resources. The company put the cart before the horse, buying and installing the new technology without first engaging the individuals and business units likely to be affected by the change or making them aware of the need for the tool and the new required process. As a result, IT had to throttle down the system, severely handicapping its functionality, to accommodate business needs.

We hear stories like this all the time, from executives at companies large and small. The good news is that such self-inflicted wounds are largely avoidable with better communication and a structured change management plan.

A good place to start would be setting aside any preconception of users as an obstacle. Most people are willing to embrace change as long as they are made to feel vested in the process and understand how the change will benefit them personally. Good communication begins with an assessment of user needs and should include the following steps:

  • Identify the security risk
  • Explain that the change is needed to better manage that risk
  • Describe the desired outcome
  • Invite the user into the process
  • Reveal how the change will affect their job
  • Provide acceptable alternatives to existing insecure processes

A security-aware organization is critical to any security initiative. Some organizations have established Business Information Security Officers (BISO) or other security personnel devoted solely to user adoption strategy. The skill set for this position requires understanding of cybersecurity, how the business operates, and the impact of the human element, and bridging these three aspects to successfully implement initiatives. This combination of skills is not easy to find, considering that a 2016 skills gap analysis by ISACA placed the shortage of cybersecurity professionals at two million by 2019.

Regardless of who spearheads security change management, long-term, sustainable success is going to require communication with, and buy-in from, business-side allies. That communication needs to be circular, with feedback loops on key metrics to keep senior management informed on progress and outcomes.

Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation to digital initiatives. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead.

Andrew Retrum

Managing Director
Security and Privacy

Kathie Topel

Director
Business Process Improvement

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More