The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

3 mins to read

Recognizing the People Element in Data Security Implementations

Larger Font
3 minutes to read

Implementing information security technology and creating related policies is relatively easy. Getting the organization to better manage risks through the use of that technology and embrace those policies is quite a bit harder.

In a recent survey by ESI ThoughtLab, co-sponsored by Protiviti, untrained staff was seen as the greatest cyber threat by businesses because it can provide a conduit for outside hackers. In a related finding, user behavior analytics (detecting risky user behavior) was projected to grow 1,700 percent over the next two years. These findings confirm what we as cybersecurity and change management professionals know too well – that employee awareness, obtained in equal measures through training and communication, is crucially important to a company’s cybersecurity efforts.

As an example, a financial services executive recently lamented over lunch about a data loss prevention tool that created a firestorm on the business side when it was implemented. The monitoring system in question restricted the distribution of personally identifiable information outside the company via email, which caused a significant disruption in claims processing and human resources. The company put the cart before the horse, buying and installing the new technology without first engaging the individuals and business units likely to be affected by the change or making them aware of the need for the tool and the new required process. As a result, IT had to throttle down the system, severely handicapping its functionality, to accommodate business needs.

We hear stories like this all the time, from executives at companies large and small. The good news is that such self-inflicted wounds are largely avoidable with better communication and a structured change management plan.

A good place to start would be setting aside any preconception of users as an obstacle. Most people are willing to embrace change as long as they are made to feel vested in the process and understand how the change will benefit them personally. Good communication begins with an assessment of user needs and should include the following steps:

  • Identify the security risk
  • Explain that the change is needed to better manage that risk
  • Describe the desired outcome
  • Invite the user into the process
  • Reveal how the change will affect their job
  • Provide acceptable alternatives to existing insecure processes

A security-aware organization is critical to any security initiative. Some organizations have established Business Information Security Officers (BISO) or other security personnel devoted solely to user adoption strategy. The skill set for this position requires understanding of cybersecurity, how the business operates, and the impact of the human element, and bridging these three aspects to successfully implement initiatives. This combination of skills is not easy to find, considering that a 2016 skills gap analysis by ISACA placed the shortage of cybersecurity professionals at two million by 2019.

Regardless of who spearheads security change management, long-term, sustainable success is going to require communication with, and buy-in from, business-side allies. That communication needs to be circular, with feedback loops on key metrics to keep senior management informed on progress and outcomes.

Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation to digital initiatives. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Authors

Andrew Retrum

By Andrew Retrum

Verified Expert at Protiviti

EXPERTISE

Kathie Topel

By Kathie Topel

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search