How to keep your users interested in security

Do you ever get excited about something, perhaps a new restaurant opening in your area or a new project you get to be a part of, yet no one else seems to care? It’s how humans work. If people don’t understand the value of something, it’s hard for them to get too excited. Be it your personal life or in business, you have to remember this – especially if you work in IT or information security.

Whether it’s you, me, or anyone we communicate with, people can’t truly appreciate what’s being proposed, offered, or merely discussed unless and until they know what’s in it for them. IT and security pros have a hard enough time gaining credibility given the nature of our work (i.e. telling people what they can or cannot do). Rather than continuing to pound sand and expecting your users to buy into what you’re selling, you need to step back and be smarter with your approach.

First off, you need to do what you can to properly set your users’ expectations. This comes in the form of reasonable policies developed by your security committee that everyone knows about. Your policies also need to be enforced. This cannot be done without management support. Once you convey the initial messages, let people know what’s in it for them. Again, this is a management function, namely HR. Ensure reviews are taking place and people are commended – even compensated – for their positive efforts. When an incident occurs, work with management and the user(s) involved to discuss what was learned and what can be done better next time.

The important thing is to keep your users in the loop – not only with what’s happening in your organization but also interesting stories outside your organization. This could come in the form of stories about outrageous breaches, lessons we can learn from others’ mistakes, and crazy things to avoid while on your computer. I recommend using outside trainers or Internet-based resources to communicate your security messages. Why? Well, you know what happens when you give your spouse, a friend, or a parent advice. They don’t listen to you! But they will listen to a third party, even when the third party conveys your identical message! The same thing happens with security. Outsiders can be the trusted resource that your users will actually pay attention to. Plus outsiders specialize in training and content development and their approaches can help ensure your users “get” the messages you’re trying to convey.

You can’t force your users to love what you do. However, if you take these steps and do your best to ensure security doesn’t get in the way of your users’ work, you should see a marked difference in how security is perceived in your organization. In the end, reality is not all that – perception is everything.