Reposted from Security Management Magazine
The single biggest challenge many leaders face is getting people to do things they have never done before. And it's not a question of merely maneuvering and finagling until people take your side—it’s a legitimate trial of explaining a concept and outlining why it’s valuable.
Former U.S. Navy SEAL John Gretton “Jocko” Willink noted in an interview, “If I’m manipulating you, I’m trying to get you to do something. If I’m leading you, I’m trying to get you to do something.”
What’s the difference you ask? Intent.
Willink explained further: “If I’m manipulating you, I’m trying to get you to do something that’s going to benefit me. If I’m leading you, I’m trying to get you to do something that’s going to benefit you, that’s going to benefit the team, and that’s going to benefit the mission.”
So, how do we change people’s mindsets in business to get them to do something new that’s going to benefit them, that’s going to benefit their team, and that’s going to benefit their mission and help them achieve their strategic goals?
In the military or hostile environments, people tend to compromise or change their mindsets to execute something new because they do not want to let the person standing beside them down. It’s that purpose or being part of something bigger than themselves that motivates them. The same principle often applies in private industry. A 2019 Glassdoor survey of 5,000 leaders across the globe found that people prioritized a company’s mission and culture above money in choosing their next employer.
How can security leaders leverage this motivation to improve buy-in?
Know Your Audience
Generally, there will be three types of reactions a leader receives upon change initiatives.
The team player. These individuals are highly motivated and malleable/coachable, and they will buy in from the beginning of the change process.
The opposition. There will also always be those who resist change. If presented with effective metrics and results from the program, eventually they will either buy-in, leave, or be weeded out.
Prospects. There are those standing on the sidelines who want to play, but they might be unaware of how to get in the game. How does one convert prospects to team players? It takes consistency, discipline, and time.
Start with the ABCs
Think ABC: Always Be Clear, right from the start.
When presenting new initiatives to strategic business partners, clearly define the strategic mission, vision, and values of what it is you are trying to achieve. Know your audience, speak their language, present the information so it could be easily understood by a 10-year-old, and be brief and to the point.
What is your purpose? What is the business you are in? Why are you, the risk manager, there at that specific moment in time? What is it you are trying to achieve? If your goal is the start of a new project, the strategic mission will be more finite and fit under the overall strategy of the business. The strategic risk management goal will still be to support business partners while reducing cascading effects, impacts to assets, reputational loss, injury, or death in the workplace. Anything new must call back to that core mission.
One example is onboarding new hires, as well as third party suppliers, vendors, or partners. The purpose is to ensure delivery of clear and comprehensive training about the organization’s security policies and procedures, including how to handle sensitive information, how to identify phishing and social engineering attacks, and how to report any suspicious activity. The strategic goal goes further—it is to build a culture of trust and credibility with our people, while reducing the risk and impact of insider threats, and ensuring that “everyone is playing the game” regarding alignment with security mission and goals.
E=MCR2: A Formula for Changing Minds
The evaluation of security programs is key to retaining long-term buy in and concerting any prospects or naysayers into team players. Remember: evaluation equals measurement and monitoring multiplied by continuous improvement multiplied by repetition (E=MCR2).
Evaluate. What is the baseline? Where are you today, and where do you want to go? The ABCs clearly define the strategic goals we are trying to achieve, so now we must come up with specific metrics that can be evaluated.
For example, one may want to reduce downstream supply chain risk management risks regarding their third- or fourth-party partners, vendors, or suppliers. Reliance upon outside service providers can create cascading effects that affect operations within any of the 16 critical infrastructure sectors listed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). These cascading supply chain risks may potentially bring your operations to a grinding halt—or at the very least increase your risk to fraud and abuse—and evaluating the organization’s specific risk profile on this front helps to explain the reasons behind a new initiative.
One example would be the December 2021 ransomware attack on the payroll system Kronos. One private sector energy company within the New York City tri-state area was a victim of this attack, and it triggered cascading effects for thousands of workers and close to 100 locations, putting energy to more 1 million homes in jeopardy. The company was forced to use Excel spreadsheets and paper records for two months because it lost safe access to the payroll system. Thousands of workers were now responsible for self-reporting their hours worked. This reallocation of human resources opened up the company to fraud and abuse, but it also had a negative impact to the overall operations within the organization.
Starting with a baseline provides risk managers empirical evidence and quantifiable metrics. Leveraging data helps us as security and risk leaders, build trust and credibility with our business partners we are supporting. By speaking the same language—that of business—and providing visualization of data to leadership, this demonstrates business acumen, expertise, professionalism, and a commitment to excellence. These actions help gain advocacy, while elevating security and risk from an obstacle to a partner, who is there to support our business partners and courageous leaders achieve their mission and strategic goals.
How do we set this in motion? It begins with using a risk management approach:
- Identify and prioritize assets. We identify and define our critical assets, so we know what we are protecting.
- Identify and prioritize risk. We identify risk through discovery of value deficiencies, gaps, and vulnerabilities to prioritize risks and their acceptable levels. Typically, this is done through a security and risk assessment to provide actionable intelligence and visibility holistically across the enterprise.
- Mitigate prioritized risk. The findings from the above steps are used to collaboratively create a strategic roadmap of defense-in-depth advanced cybersecurity and/or physical solutions to be deployed—either as a force multiplier, replacement, or to ensure existing controls efficacy. This will help mitigate prioritized risks while reducing impacts to critical assets.
- Continuously improve. This is achieved through continuous evaluation, measurement, monitoring, and optimization. This unbiased, data-driven process ensures efficacy of critical controls, while continuously improving the availability of systems to achieve more positive outcomes. This process is a continuous feedback loop, which is rinsed and repeated.
Measure and monitor. Put a system in place to keep track of the metrics created. The type of system depends on the organization’s size, resources, and regulatory requirements; it might be as simple as a Google doc or Excel spreadsheet, or it may be a single pane of glass dashboard that ingests your entire defense-in-depth stack of disparate solutions holistically across the enterprise, providing real time monitoring. This is actionable intelligence that risk managers can then use to advise business partners so they may make more accurate informed decisions.
When presenting metrics, remember to speak the same language of the business leaders we support, and limit the use of acronyms. The goal here is not to show how smart you are when presenting to business partners. Rather, aim to present actionable intelligence in a way leaders understand so that they may make more informed decisions that benefits them, the team, and the mission.
Continuous improvement. This may be one of the hardest phases a motivated leader faces, because it is now time to listen, both to your people and your data. Consider gathering feedback through one-on-one discussions, surveys, and town halls. Open office hours are also an option. For example, every Friday the CEO of a large healthcare organization made himself available for one hour in the on-campus cafeteria, where it was common knowledge that he was approachable and available to anyone within the organization for a discussion.
Technology is another piece of the puzzle here, and data can be used to inform conversations with leadership and drive decisions. There are also physical infrastructure, people, and processes that must be accounted for, observed, and questioned through some form of measurable process. Some examples include visual inspection, education, training, exercises and drills, business impact analysis, HR policies and procedures, and open discussions.
This all starts with a conversation where questions are asked, and leaders must be willing to not only listen, but also act and course correct.
Continuous improvement is achieved through consistent behavior that is coupled with consistent evaluation, measurement, monitoring, and optimization—which in turn produces more motivated team players. On the technology side automation can assist here, acting as a force multiplier to help security personnel ingest the exponential amount of actionable intelligence at scale. This unbiased, data-driven process ensures efficacy of critical controls, while continuously improving the availability of systems to achieve more positive outcomes.
The goal is to have your team come to you with ideas on how to optimize the process moving forward. This means they have bought in.
Rinse and repeat. This process is a continuous feedback loop, which is then rinsed and repeated. The process is dynamic, uncertain, and rapidly evolving. Therefore, once you have reached this step, go back to the beginning, reevaluate, and start over.
Consistent and ongoing effort to improve operations to better match the strategic goal of the organization can prove to team players, prospects, and the opposition that your initiative is a worthwhile one and here to stay.
See Original Post