Cybersecurity isn't just a technical issue, it's a matter of policy “” and influence. So said Melissa Hathaway at a recent conference on the issue. “It takes a combination of strategies aimed at a handful of vital behaviors to solve weighty and persistent problems,“ said Hathaway to an audience of information security professionals. In offering those remarks, Hathaway was borrowing a page from The New York Times best-selling book, Influencer. The book argues that peer pressure can harness the power of everyone to make change. How so? For answers ExecutiveBiz recently caught up with David Maxfield, one of the authors of Influencer. Here Maxfield offers his take on how to influence others on the cybersecurity front “” and in other aspects of your life.
ExecutiveBiz: What's one of the biggest mistakes people make in trying to influence the direction of cybersecurity?
David Maxfield: The mistake is to assume cybersecurity is a technical issue, not an influence problem. We've done a lot of research in the project management space, and we've found that when it comes time for implementation, snags in implementation are rarely due to technical issues. Moving forward involves policy and politics “” and that's where things get rough. If there is no alignment at the policy level, don't expect technology alone to fix cybersecurity challenges.
ExecutiveBiz: How can you find common ground?
David Maxfield: My dad has a saying, “If something isn't worth doing at all, then it certainly isn't worth doing well.“ So, begin by working to find mutual purpose “” the mutual interest “” that would motivate similar best practices.
ExecutiveBiz: Employees have been called the “weakest link“ in cybersecurity. How can you influence them?
David Maxfield: First identify vital behaviors. In most situations “” even when there's a complicated dynamic going on “” there are usually two or three behaviors that drive the majority of the change. Then define what it is you want your employees to do. Otherwise the request is too abstract.
ExecutiveBiz: And how can you frame your request?
David Maxfield: For example, you can say: “Log out of your network anytime you leave your office or internet connection; do not store passwords near your computer, store them in a private place.“
“The mistake is to assume cybersecurity is a technical issue, not an influence problem.”
“” David Maxfield, author of Influencer
ExecutiveBiz: How can you hold people accountable?
David Maxfield: By creating a culture of accountability. Let me use an example from healthcare, where people are trying to hold colleagues accountable for something as simple as washing their hands. We train people in interpersonal skills, in how to speak up. We get the team together and we say, “We all agree we should be washing our hands, right?“ We also say, “We all agree there will be times when we forget, like when we're busy or when it seems low priority “¦ we're all going to agree to remind each other, right?“ Then we say, “When you're reminded, how are you going to respond? Are you going to be defensive or are you going to just say, “˜thanks,' and change your behavior? Now let's practice it “¦“
ExecutiveBiz: How does that practice session unfold?
David Maxfield: The team will come up with three or four scripts and they'll practice it with other people in the room. It's also important to have high-ranking people in the group “” people like physicians and residents “” because they can be hard to remind. I could imagine people who share an office space “” and are committed to a company's cybersecurity guidelines “” using a similar method to foster accountability.
ExecutiveBiz: How else can you get people to care?
David Maxfield: Have your facts, but find dramatic ways to present them. Don Berwick, one of the influencers we work with, is a master at this. He's working to improve safety within hospitals. He'll find a way to make data more dramatic, often by personalizing it with a tragic story. Cybersecurity holds plenty of dramatic stories as well “” find them and share them.
ExecutiveBiz: Let's say you're not an influencer “” yet “” in cybersecurity. How can you become one?
David Maxfield: I'd suggest locating people who are already opinion leaders and partnering with them. Often you are seen as either high in expertise or alignment, but not both. If you are seen as the “expertise person“ in cybersecurity, find a way to partner with someone who is seen as intimately aligned with the senior team “” someone who is trusted but who is not an expert in cybersecurity.
ExecutiveBiz: How do you make the approach?
David Maxfield: I give this advice to every new employee in any organization: Determine who the go-to-people are. Just ask people, “Who do you look up to around here?“ Then make an appointment with that person for lunch or, if they're too busy for that, make a 15 minute drop-by appointment and say, “I want to pick your brain.“ Ask questions like, “What do you see as the biggest priorities for this group? What are the biggest obstacles we should look out for? What could I be doing to be most helpful in this group?“
ExecutiveBiz: Any final thoughts on being an influencer in the cybersecurity space?
David Maxfield: Remember: Recognize the challenge as an influence challenge, not just a technical challenge. Technology is just one source of influence and while it's often the easiest, it can also cause the most problems culturally if it's not implemented as part of a larger influence strategy.
How are you and your company being an influencer for stronger cybersecurity? Share your comments here.
Read more interviews here: https://blog.executivebiz.com/category/interviews/