This is not a 'phishing' attempt, to lure you in, or going to be a weak Santa and Cybersecurity joke.
I'm serious... Thinking about Santa can help you with your ISO27001, Data Protection and Cybersecurity programme.
Allow me to explain.
It’s one of the biggest complaints we hear in Cybersecurity; “I can’t get the Board to take it seriously.”
In ISO27001, one of the first challenges we face is gaining senior management buy-in to the process, and then throughout the process we have to continually fight for air-time at the board room table.
But even when you’ve managed to get the Board to listen, and the heads of operations are engaged, you have the challenge of getting the rest of the business to follow your procedures, and adhere to your policies.
It’s a huge task and one of the biggest challenges anyone looking to implement a security framework has to face.
But perhaps we’re approaching this in the wrong way, and there is a reason why no one is listening. And the answer comes in the shape of a tall, bearded man, dressed in red and white. Yes, Santa has the answer!
Santa and Cybersecurity
I actually talk about Santa in some of my presentations throughout the year, because Santa is a great example of how we need to approach gaining support for Cybersecurity. Allow me to explain.
Consider for a moment what we tell our children about Santa. We tell them that they will or won’t receive presents on Christmas day if they either don’t believe in Santa or if they’ve been good or bad. The whole idea of Santa is that it encourages children to believe in Santa, and act in a way that secures their gifts come 25th December.
If we look at this a little deeper, the calculation for this is simple;
Belief * Behaviour = Outcome.
If we try and affect behaviour without belief, the desired outcome will always be weak, if not failing. Therefore our focus needs to be on belief. We need children to believe in Santa, which affects their behaviour and they gain the desired outcome.
It’s the same in Cybersecurity
All too often our Cybersecurity awareness programmes, or presentations to the Board focus on the behaviours we want people to exhibit, but we don’t focus on changing beliefs. Or if we do focus on the beliefs, we focus on the negative aspects of security (i.e. “Scare tactics”). Now don’t get me wrong, it’s ok to tell the Board or the business what the impact is of not doing security well – i.e. that they’ll end up on the naughty list!
But I firmly believe we overdo this narrative to the point that it becomes a blunt instrument to beat and berate the Board and the business.
Change Belief. Change Behaviour.
We need the Board to believe in the importance of Data Protection, Privacy and Information Security, and that can be relatively easy to achieve by focusing on the positive aspects of implementing these principles.
Ask yourself what the Finance Director, HR, Operations, Sales, Marketing, IT and CEO want for Christmas, and consider how your security practices can help them achieve this.
The CEO probably wants the share value in the business to increase. Show them that by having demonstrable security in place, you become a more trusted and valued business to your customers.
The Finance Director probably wants to ensure costs and budgets are managed. Show them that having a structured security management system like ISO27001 will ensure you spend money where it’s needed. Show them how management of physical and software assets can help reduce costs.
The Sales Director is probably interested in hitting targets and meetings sales goals. Show how security and data protection is important to your customers, and should be something the sales teams can talk openly about. If you think this is something new, it’s not. Just look at the latest ads for many mobile phones – they don’t just focus on the camera and technical features. They focus on the importance of security.
If you can get these people to believe that security can benefit them, then they are more likely to support your programme.
And it doesn’t stop with the Board
When talking to the rest of the business, you must find out what they believe right now, and then change that belief. If they think your policies are boring – re-write them. If they believe you’re going to prevent them doing their job – show them the value of having defined processes for everyone to follow which eliminates wasted time and money.
In summary, if you’re trying to change behaviours, like “Lock your screen when you’re away from your device”, having a policy isn’t enough. You need to explain why it’s important, and how it affects security. You have to make them believe it’s important, and it has benefit to them.
Remember; Before you achieve anything, you have to believe you can. It all starts there.