Everything should be made as simple as possible, but not simpler. ~ Albert Einstein
Those of us who took Marketing 101 a long time ago may recall the story of the dog food manufacturer who wanted to dominate the market. Their scientists developed a nutritious formula, packed with extra vitamins and minerals. The people in packaging researched the buying patterns of dog owners to find out what package colours and shapes were most appealing. And the marketing department engaged a famous PR agency to develop killer advertisements and spent a huge amount on TV and billboard ads.
The first month, sales skyrocketed, with even stronger projections for the coming months. Everybody was upbeat. Congratulations were flowing around the company. However, 3 months later sales rapidly fell off to a plateau below break-even. Needless to say, the CEO demanded answers. At a large meeting, each department vigorously defended themselves, pointing out that it must be the other department’s fault. Finally, the secretary in the corner taking notes spoke up. “My dog won’t eat it. And my friends all say their dogs just don’t like the dogfood!” No one asked the dogs!
This might be a fanciful story, but the point is clear. When designing things for people (and dogs) it is best to design them with the end user in mind.
And that brings us to internal cyber security policies, procedures and processes. As a result of the growing tsunami of cyber-crime and the enormous loss of data and sensitive customer information in such high profile breaches as Equifax, Marriott and Facebook, the number of compliance policies has grown in an effort by regulators and internal risk departments to provide adequate safeguards.
In general, these new regulations and policies are well thought out, researched and obviously intended to help businesses be more cyber safe. Many are even developed in consultation with industry executives in order to be fit for purpose.
However, our experience is that the internal policies, processes and procedures around cyber security are not user friendly. Basically, people don’t understand them. Most are written in a way that the average employee can’t understand. They are often long and difficult to follow. The honest truth is, most people read them once in an email or a memo, or review them in a cyber training class, then promptly forget all the steps and details. Not that they don’t care, but it’s just too difficult to remember.
It is our experience from internal workshops and discussions, that employees want to be cyber safe. They intuitively know that the better the cyber security, the better the company performs and the more secure their jobs and families. But the traditional way we have been developing internal cyber security policies and procedures makes it difficult for employees to remember and implement. And it’s not just the average employee. Senior executives are equally confounded by the language and the way policies and procedures around cyber are presented.
Design for Cyber Understanding
The new disciplines of user-experience development and design thinking must be integrated into how we develop and deploy cyber security policies and processes if we are to engage all employees to become our “human firewall”. However, most internal policies are written by either engineers, lawyers or technical experts.
Did you ever try to assemble a new crib or bookshelf that came in a flat pack by following a manual written by an engineer? Most of us look at all the detailed instructions, toss the manual and wing it. And in many cases, that’s what your employees are doing when it comes to cyber security policies!
Why not get a group of employees to help design how new policies and processes about cyber security should be presented? There are several obvious benefits.
When employees help design a policy, they are more engaged and understand the value. And they will positively influence others.
The new policies will be easier for everyone, from the CEO to the new recruit, to understand and implement.
Policies that are user-friendly are easier to implement, which can reduce the number of cyber incidents and also reduce the time from incident to containment.
User-friendly polices help create a pro-active cyber security culture, which is often the missing link in overall cyber security.
Let’s not let technical or legal arrogance get in the way of creating cyber security policies that can go far beyond ticking the box to becoming key elements in your “human firewall”.
For a discussion on cyber security culture inside your organization and how to map culture drivers, contact us here.