6 reasons your behavioural change plan didn't work

Or...why behavioural change plans fail to engage and inspire change with your employees.

The best laid plans never survive contact with the enemy – so says the military man. Of course, a behavioural change plan for transforming your security culture starts from an altogether more positive place.

After all, your staff aren’t your enemy (and if you think they are, then you really are building failure into your plan from the outset).

But the basic premise stands. Once acquainted, plans and reality quickly fall out with one another. An adaptive mindset is critical for success. So, let’s keep it real, and look at why behavioural change goes awry with some practical examples.

And given we’ll be working through six common failings that can be flipped into success, let’s make it reality on steroids – six failings over six days for a working week from hell for the hard-pressed CISO that may be closer to the truth than is comfortable for some…

Day 1: Forgetting to bring along a map

You’ve decided to make a hooded hacker the focus of a comms campaign. A threat actor that everyone recognises, cliché or not. The design’s back and everyone loves it. You’re getting ready to roll the campaign materials together.

Then your CIO, who’s shown no interest to this point, drops a bombshell – she hates that hooded character at the centrepiece of your comms campaign. “It’s all a bit clichéd?” she says. “Can’t you come up with something more original.”

Day 2: Doing eLearning by numbers

The latest completion figures for your eLearning are in, and they are heading south faster than geese in November.

You’re being asked to dangle carrots (or to softly wield sticks) to get those completion rates up. How else are you going to be able to show that your training is working?

Day 3: Not listening to your users

Not long ago, a lost USB flash-drive and an embarrassing data breach produced a command from the top – “Ban USB sticks!”

Luckily, a policy document on removeable media was ready to hand.

Unluckily, it was a one-size-fits-all affair that didn’t take into account a critical group of engineers. They needed to share large (and sensitive) data files with third parties when they’re off the corporate network. With USBs banned, they’re using cloud sharing sites on their personal phones instead. An advance in security it is not.

Day 4: Running face-to-face training without the focus

We’re past midweek, but training feedback has us on the back foot. It’s from the face-to-face sessions for your high-risk users (or as I’m sure they’d prefer, your ‘high-value colleagues’). The comments from the F2F training feedback forms are less than complimentary:

‘They didn’t say anything that was useful for us, so I turned off’ … ‘The trainer just talked at us’ … ‘It was all cyber-this, cyber-that – mumbo-jumbo to me’ …

Day 5: Malnourishing your change champions network

OK, it’s now Friday in our hypothetical week, so things should be getting easier, right? Wrong. It turns out your champions are revolting. Pitchforks are being brandished.

That’s a real problem. Change champions are the frontline of any programme to sustain changes in behaviour. Because they are so pervasive and influential locally, when these guys start to grumble, you could be in real trouble

Day 6: Not going deep enough with the metrics

It’s Saturday. Working at the weekend can mean only one thing – clearing up a malware mess, brought on by a click-too-far. One of your colleagues has been phished.

Sadly, this was no run-of-the-mill Amazon clone email. It targeted your corporate lawyers who’d attended a recent legal conference. But your ethical phishing campaigns have shown falling click-through rates. How could they still take the bait?

And rest

OK, you’ve made it to Sunday and you’re lucky enough to have a day of rest. But don’t put your feet up for too long. Another week beckons and you’ve got a critical meeting scheduled – turning the green light of your behavioural change programme back on.

The problem is that change fatigue has set in. There are simply too many other ‘top priorities’ clamouring for Board approval.

It’s all too easy to become so wrapped up in maturing your security culture that you see all problems through that single prism. But organisations are a blend of cultures and changes to them never happen in isolation.

Success is best made when you have allies, and there are more of these in your organisation than you might think. Whether it’s tied to safety, HR or the digital workplace, there’s a good chance you’ll find a programme with overlapping values, problems and solutions.

Don’t look at these as competitors for scarce resources. See them as opportunities to maximise engagement across your workplace. After all, information security is no stand-alone. It needs weaving deep into your cultural fabric.

That’s what all these failures have in common - they all stem from a lack of collaboration and communication.

So, talk to stakeholders, talk to employees, talk to champions and talk to other teams.

Ultimately, behavioural change in security rests on a process of blending perspectives across the technical, security and business realms.

Learn that fundamental lesson of collaboration and you might earn a week flush with success, rather than fogged with failure.

Want to know more?
TSC's Consultancy service offers real benefits to CISOs looking to take their inforamtion security programmes to the next level.

Have a look at our Insights and Measurement area, contact enquiries@thesecuritycompany.com or call us on +44 (0)1234 708 456.