Recognizing the People Element in Data Security Implementations

Implementing information security technology and creating related policies is relatively easy. Getting the organization to better manage risks through the use of that technology and embrace those policies is quite a bit harder.

In a recent survey by ESI ThoughtLab, co-sponsored by Protiviti, untrained staff was seen as the greatest cyber threat by businesses because it can provide a conduit for outside hackers. In a related finding, user behavior analytics (detecting risky user behavior) was projected to grow 1,700 percent over the next two years. These findings confirm what we as cybersecurity and change management professionals know too well – that employee awareness, obtained in equal measures through training and communication, is crucially important to a company’s cybersecurity efforts.

As an example, a financial services executive recently lamented over lunch about a data loss prevention tool that created a firestorm on the business side when it was implemented. The monitoring system in question restricted the distribution of personally identifiable information outside the company via email, which caused a significant disruption in claims processing and human resources. The company put the cart before the horse, buying and installing the new technology without first engaging the individuals and business units likely to be affected by the change or making them aware of the need for the tool and the new required process. As a result, IT had to throttle down the system, severely handicapping its functionality, to accommodate business needs.

We hear stories like this all the time, from executives at companies large and small. The good news is that such self-inflicted wounds are largely avoidable with better communication and a structured change management plan.

A good place to start would be setting aside any preconception of users as an obstacle. Most people are willing to embrace change as long as they are made to feel vested in the process and understand how the change will benefit them personally. Good communication begins with an assessment of user needs and should include the following steps:

  • Identify the security risk
  • Explain that the change is needed to better manage that risk
  • Describe the desired outcome
  • Invite the user into the process
  • Reveal how the change will affect their job
  • Provide acceptable alternatives to existing insecure processes

A security-aware organization is critical to any security initiative. Some organizations have established Business Information Security Officers (BISO) or other security personnel devoted solely to user adoption strategy. The skill set for this position requires understanding of cybersecurity, how the business operates, and the impact of the human element, and bridging these three aspects to successfully implement initiatives. This combination of skills is not easy to find, considering that a 2016 skills gap analysis by ISACA placed the shortage of cybersecurity professionals at two million by 2019.

Regardless of who spearheads security change management, long-term, sustainable success is going to require communication with, and buy-in from, business-side allies. That communication needs to be circular, with feedback loops on key metrics to keep senior management informed on progress and outcomes.

Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation to digital initiatives. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead.

Andrew Retrum

Managing Director
Security and Privacy

Kathie Topel

Business Process Improvement

Subscribe to Topics

Join Protiviti's Paul Kooney and Stephen Nation as they discuss how to set up trust in an organization in tomorrow's Tech Talks at the TrustWeek 2022 Conference.

#ProtivitiTech #TrustWeek #privacy #security #dataprivacy

Evolving #dataprivacy laws and updates in the #OneTrust system call for a closer look at #privacy systems and processes. Join #ProtivitiTech Ismail Ali and Sam Reiter at #TrustWeek to learn how to take your OneTrust deployment to the next level.

Protiviti is pleased to be a Platinum Sponsor at the #TrustWeek 2022 conference. Join #ProtivitiTech and discover best practices to protect #privacy, #data #security, act sustainably and build trust with clients and within your company.

Embedded analytics have rapidly become one of the new “art of the possible” scenarios. Learn how platform's such as @SAP's BI Launchpad continue to develop data analytics, and enables continued organizational growth:

#ProtivitiTech #SAP #DataAnalytics

We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps, new CISOs can convey confidence. Read more:

#ProtivitiTech #TechnologyInsights

Load More...