What your IT Security Awareness program can learn from New York City’s policing transformation
In the 1980s and early 90s, New York City was a fairly lawless place. Muggings, petty theft, graffiti and even homicide were commonplace. The city’s subway was a dangerous and menacing place for commuters and tourists, and the prevailing attitude among members of the police department was one of resignation. They believed the city was too big and the police force too disparate for effective policing to happen.
Then, in February 1994, Bill Bratton was appointed police commissioner of New York City and, within two years, he had transformed it from one of the most dangerous cities in the United States to one of the safest.
Bratton used a technique known as “tipping point leadership” to enable this spectacular transformation to happen. Its concepts are intuitive.
The four steps are:
Break through the cognitive hurdle
Bratton was smart enough to realise that dishing out dry statistics to his force about the state of crime in their city was not going to work. Statistics are impersonal and not very effective at getting people to understand the need for change. Instead, he had a better idea. He encouraged his managers to go out and see the problem face to face. He discovered that none of them travelled to work on the subway, so they were unaware of the drunks, vagrants, aggressive beggars and gangs of marauding youths loitering around stations. He, therefore, ordered his officers to travel to work by subway so that they could see the problem first-hand.
Does your organisation have senior managers who have “cognitive hurdles” surrounding information and cybersecurity risks? Recently, SecureClick was dealing with such a scenario. Some senior managers of a government-sponsored organisation we were helping believed that information and cybersecurity risks were not a salient issue. On the first day of training, SecureClick gathered newspaper headlines of their counterpart organisations in the UK, Germany, New Zealand, USA and Canada which had either been hacked or suffered a data breach. We turned these headlines into posters and put them up on the wall of the conference room. Within minutes of entering, some of these sceptical managers were looking at these posters. We could see their cognitive hurdles dissipate right in front of our eyes as they started to ask us about the attacks before our presentation had even started. The posters depicting real-life headlines about their peer organisations who had been hacked or high-profile data breaches helped to bring the issues home.
Sidestep the resource hurdle
Bratton was a firm believer in metrics. He used the Compstat crime database which helped to identify hotspots that needed intense police intervention and provided staff with weekly crime and arrest activity for specific locations around the city. This made resource allocation both more efficient and justifiable.
An effective IT security awareness program pays for itself, but also uses metrics for efficient resource allocation and the tracking of program success.
Get your employees engaged
Bratton considered it impossible to get every single member of the New York Police department to buy into his changes. For that reason, he identified the key influencers who would help convey and amplify his messages. These key influencers in organisational change can operate at any function or position in your organisation.
Bratten instinctively knew that employee engagement would be difficult by trying to introduce a “big-bang” change. Therefore, he used a “divide-and-conquer” strategy. As a result, his change program would happen “block by block, precinct by precinct, borough by borough”. This made his lofty goals seem more realistic and attainable for his staff.
Who are the key influencers in your organisation when it comes to data security? It’s important to know as these people can be your allies in implementing your IT security behaviour change program. Is your IT security awareness program a little too broad? Trying to change the whole IT security culture in the space of a few weeks does not always work. Like Bratton, you sometimes have to adopt a “block-by-block” approach. For example, spending two weeks focussing on anti-phishing and the next two weeks focussing on malware prevention can be more effective than providing a single surge of information on diverse security topics.
Overcome political hurdles
Bratton knew some managers would oppose his change program. He anticipated their reservations and presented them with indisputable facts to challenge their dogma and orthodoxy. For instance, when police managers were asked to compile regular and detailed crime maps of their precincts, Bratton rightly anticipated that some would claim they did not have enough time. Therefore, he got his deputy commissioner to design a reporting system which required no more than 18 minutes a day to complete.
When launching your IT security awareness program, try to anticipate some of the objections. You can counter objections such as “my department has no time for IT security training” with facts about how training delivered via techniques, such as microlearning, can take just a few minutes a day. Objections such as “we’re not a target” can be countered by providing evidence of data breaches and cyberattacks that have been targeted at peer organisations abroad.