#TEISS19: Brute Force Won’t Change People's Behaviors, You Must ‘Modify’ Their Beliefs

Written by

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

What’s hot on Infosecurity Magazine?