Picture this. Employees, managers, directors and shareholders all spend much of their time being communicated with by their colleagues. Behavioural scientists estimate that we make up to 5000 decisions a day. Many unconsciously using intuition and the remainder through conscious thought. Each decision requires us to process information communicated to us, analyse this, make a decision and then carry out some course of action. Some take milliseconds some take much longer.
Now you’ll most probably recognise the following.
In a work context most people have a back log of messages, actions, reminders or conversations that require action. They have to prioritise where to invest their time. What makes it harder still is that you have to prioritise some things, over others, even though there’s apparently a good case for both. What makes it easier is when you have to decipher what someone’s saying for their benefit. Easier I hear you say? Yes, easier is what I’m saying. What makes it easier is that you don’t action it! One less task to follow up.
It does not take a scientist to highlight that our lives have become over whelmed by people trying to communicate with us. Everything is a priority or matter of urgency to those that have communicated with you. But those receiving the messages may, and in the case of information security, do, often have a different set of priorities. If they are not urgent then they quickly fall down the pyramid of priorities.
Information security professionals operate in a highly competitive environment. You could even consider it a market. I don’t mean a highly competitive job market by the way. I mean a market where metaphorically speaking, information security, is a product to be consumed by employees and the Board. Unfortunately the information security product sits on a shelf packed with other business functions products with sexier branding, values seemingly better in line with the audiences KPI’s or just on a better shelf and at eye level rather than down by their feet or too high to see. Think about the old adage “Out of sight out of mind”! All these factors effect the likelihood your product will be consumed.
To be consumed, audiences first need to know it exists, then they need to choose it over all the other products out there competing for their attention. And we know there are many. Then the experience of consuming it needs to match the expectations of the audience. If they don’t have any then give them some but make them realistic.
We are, like it or not, competing with our working counterparts, across the enterprise, to be a priority in stakeholders conscious and a permanent resident in their unconscious. When it comes to a scenario where we need them to make the right decision incorporating information security we want to be there. Not all will win this race. In Darwinism terms it’s the survival of the fittest. Just how fit is information security at competing for the audiences attention?
When you realise this, it is not so hard to ask your self the question, “what can I learn from those that market consumer goods, that may help me secure the commitment and support to good information security practice and culture within my organisation?”
Bruce Hallas is the Founder at The Analogies Project and is The InfoSec Curator. He’s also been known to do some consultancy on the side.
The Analogies Project is a not or profit venture providing a single source of information security analogies, metaphors and stories free of charge. The project aims to help the security industry to engage with audiences more effectively by exploring security in a context none industry audiences are more familiar with.
If you use analogies or metaphors and want to support the global information security community tackle the long standing human engagement issue then maybe you could contribute to the project? Please do get in contact at Twitter @TheAnalogies or www.theanalogiesproject.org.