Can you make IT Security Personal?
Of course, you can, and you actually have to!
We humans all have a bias that attracts us to personal messages or contacts. Therefore, it is important that in your work with IT security, you remember to speak directly to your users with a clear sender.
One of the very simple things you can do is create a mailbox. Most people already have one, and it's nothing special.
The special thing is that a real person always answers. This means that you and your colleagues respond for themselves and always with an appreciative attitude toward the user and her message.
Remember, a letter from a colleague you usually see in the hallway is more impactful than a letter from an impersonal "authority.
For the same reason, when you post on the intranet, write your own name instead of the impersonal "from IT security."
Want to know why it works?
We all have a human bias called reciprocity. Reciprocity is not only a great word when playing Scrabble ;-) But also a very useful concept. In fact, it's a part of what has kept us alive through time as a part of a herd.
Reciprocity means that when someone does something for us, we feel inclined to give something back. For example, when someone invites you over for dinner, you feel the need to bring something as a kind gesture. That's the feeling reciprocity evokes in us.
This is why any sales representative knows your name and uses it in conversation. Taking the time to learn your name makes you subconsciously feel like you need to give something back. For the salesman, this means his sale is just around the corner if he remembers your name.
Do you see why reciprocity is a great tool when implementing a secure culture? If you give out attention and effort, your colleagues in the organization are prone to subconsciously wanting to give you something back and reciprocate. And what’s more relevant than creating that complex password you just took the time and effort to explain to them in that short video?
Bring your CISO into play
Another example of utilizing reciprocity bias could be having your CISO always write a personal card (by hand!) to the users who win your small competitions or to the first one who reports a particularly malicious phishing email. Maybe she could even deliver it herself?
I can assure you that it will have an impact if the CISO personally shows up and expresses gratitude and thanks the person for their help in keeping the organization secure. Then, the message spreads almost magically with the conversations at lunch.
If you have users abroad, receiving a handwritten letter from the CISO is a great solution that really captures attention in many cultures.
Have a chat
If your SIEM warns you of suspicious travel behavior, grab the bone and call your colleague. Ask about it with curiosity and the message, “We just want to ensure you don't fall victim to cheating.” Your kindness and genuine interest will really improve the way your colleagues see you as a colleague rather than an enforcer of rules and controls.
Or, a completely third thing: What if your ISMS changes from being some legally massively complex text written in "negative passive" to something written about what you, as a colleague, must do to keep our organization safe? (with this using the social proof bias that you can read more on in this blog post)
Let it become relevant and direct in language and, for God's sake, understandable. Nothing breaks a message like the language of the chancellery and a complexity score of one billion.
I have tried all these examples with terrific effect.
What about you? Isn’t it about time to start talking to your users and think of them as flesh and blood colleagues?
