The human element of security is one of the most difficult to predict and therefore to secure. Additionally, one of our biggest challenges is building a security awareness program for those who may have never been subjected to one by understanding the aversion to buying into the security program. We have great written resources and guidance from things like NIST 800-53, but it’s much more challenging to overcome the sociological elements of the human factor that prevent success of security-aware cultures, such as aversion to technology, fear, uncertainty, doubt, and simply non-malicious human error. As security professionals, we may lose sight of the fact that the professionals we support also have other jobs. So learning and focusing on security controls can be stressful and daunting.
Incorporating change management methodologies rooted in the psychology of human behavior, such as ADKAR (Awareness, Desire, Knowledge, Ability, and Reinforcement), can assist us as security professionals in facilitating more impactful cultural change through understanding why employees we support act and react the way they do and what other environmental or social factors may influence their decision-making and thought processes. It can also help us gain buy-in from our leadership, nudging from the bottom up, while leading by example from the top down.
The ADKAR change model has been proven to help individuals understand and accept change so companies can successfully innovate and become more efficient. As security professionals, we have to be conscious that security program costs contribute to the rising costs of healthcare, goods, and services. And we often have to find unique and strategic ways to ingrain ownership of security functions within other departments to augment our limited resources. Building a security ambassador program using these change facilitation concepts will help drive cost-effective ownership of the security program throughout the entire organization, creating a deeper business resilience, reducing risk, and truly leading by example—proving we are stronger together.