To quote Forbes magazine: “No matter what you say, your actions will speak much louder than your words. And a single action, a single example, by a leader affects more than the people who witnessed it.”
When implementing a change in company culture embracing cybersecurity it is equally as true. A leader who wants to change how her employees act and engage with a company’s cybersecurity policy needs to keep that in mind.
The messages leadership gives can make or break a training program. As Alberta’s professional association for HR puts it “The manager’s own behaviors pre- and post-training, affects whether the employee will be motivated or not and therefore, impacts the participant’s ability to learn. Manager’s will need to be coached to understand that training, specifically when it is behavioural training, has a higher success rate of implementation when the manager has an active role throughout the training.”
Training is not over when the class ends
With cybersecurity having become a plague affecting virtually all organizations many organizations are implementing training in cybersecurity. But it can’t stop there. Real training that is going to affect real behavioural change on the organization needs to be ongoing. Putting in place post training support includes Appearances, Engagement and Reinforcement, and leadership needs to be part of everything.
Let’s start with appearances. Anyone in leadership knows that appearances count. If it looks like you’re not engaged, your employees don’t feel you are engaged, whether you are or not. Let me give you two examples.
President Trump recently decided not to replace his Cybersecurity Coordinator after that officer resigned. He decided to eliminate the office. Now, it could be that the position was unnecessary or it may not be – the point is that eliminating the position can imply that cybersecurity is not a priority for his administration.
Unless strong leadership describes and reinforces how cybersecurity will be addressed in the future, an understanding that cybersecurity is not important can filter down through the rank and file and promote lackadaisical efforts towards security.
On the other hand, Apple had an incident where it was roundly criticized by some for it’s tight security policy.
A father wanted to retrieve photos from his deceased 13 year old’s phone. The father didn’t understand how their security process on the phone worked and locked himself out. Apple would not give him access.
What many did not know is that Apple could not comply with the request. Their security software is built in a way that prohibits changes without a personal password after a phone is powered down – even by them. If they were to alter the software to make it possible, it would compromise the overall security of the iPhone.
Apple’s leadership looked heartless to many but no one questioned their devotion to the security of their product. Questions about their compassion? Maybe. Whether they take cybersecurity seriously? Not so much.
What their employees felt we don’t know, but the message that leadership sent about cybersecurity was clear.
If your employees get training in cybersecurity and leadership isn’t involved with taking and encouraging the training – it sends a message.
Leaders are always being watched. If it’s not important enough for you to take part in and support you run the risk of having employees not engaging either. Leadership needs to be an example of the behavior they expect. Core Values of a company need to be reflected daily in behavior. If you are taking on cybersecurity as a core value of your organization you have to engage too.
To change the course of an organization takes reinforcement. It takes more than one day or one session of training to change attitudes and habits. It takes reinforcement to keep things from drifting back into old ways of doing things. Reinforcement such as:
- Talking about recognizing threats or security incidents in meetings
- Frequent reminders on how to handle sensitive paper and electronic information;
- Speaking with employees if they leave passwords on sticky notes
- Cautioning employees to validate requests for information about the company, business partners or other stakeholders;
- Responsibilities and consequences of legal and regulatory duties;
- Giving clear instructions on who to call and what to do in the event of a suspected or actual security incident.
Many cybersecurity training companies provide help with pre made materials that can be sent out in the form of email, posters or even short games that remind employees of what they learned in training.
How leadership supports training after the fact can motivate or discourage employees in applying their new knowledge skill. Cybersecurity awareness is a skill set that needs to be practiced and remembered like any other. Be sure to reinforce and promote those skills on a regular basis.