- Don’t wait for Change. Be the one who makes it happen.
Corporate lifecycles are shrinking. The way to sustain a company is to constantly innovate and evolve. Change is therefore inevitable, if not essential. As I wrote in a recent blog, changing everyday behaviour when moving to a culture of compliance is not a question of attitude; it’s a question of action.[1]
But change, of course, brings resistance. Integrating new compliance initiatives can be a costly process that requires commitment from those at every level of an organisation. Engaging with the human element in your company – that is your board members, your employees, and your customers – is the way to get the clearest picture of your company and to be able to identify what steps need to be taken to change the mind-set of those working with sensitive data. It’s no good simply propagating a philosophy of the need for change. As someone once said: philosophers interpret the world; leaders change it.
- Change is an art.
Is change an art or a science? There is no fail-safe way to successfully complete a change process. It is true that there is a certain science to a successful change process with established structures to work within, steps to follow, and ways of measuring progress. But affecting established (human) behaviour within an organisation in relation to data security is not always straightforward. Change will often lead to more questions than answers. Sometimes certain steps may not appear logical. Everyone will see the new protocol from their perspective. Change requires creativity, originality, and imagination. Change is very much an art.
But change must be delivered through a framework. You need an action plan that will help channel change efforts (alongside the existing management structure) to maximize employee engagement and participation, keep the change effort channeled within the context of the company vision, and be able to measure the progress of this change through set deliverables. Developing a step-by-step process that will eventually instil compliance into employee consciousness is the only way to sustain the success of new compliance initiatives.
- Change may be a top-down process. But it must happen organically.
It is true that change is something that needs to be led by leaders. Employees need a vision, a mission, and someone to drive them on in difficult times. Some say that you cannot impose change on a company. While that’s not strictly true – you can indeed impose change if you so wish – this type of change will not last, especially within the context of nurturing a new compliance culture. You cannot manipulate people into change. Manipulation leads to suspicion, mistrust, and resistance. The key, therefore, is to inspire. Change must be justifiable, comprehensible, and organic. And, crucially, it needs to be sustainable. Change can only be sustained by the involvement of all of those touched by the change – be it fellow board members, employees, and customers. Make sure employees at all levels are aware of the overall goals and how their efforts will ensure that sensitive data, the lifeblood of any organisation, will be protected. Then let them do it.
- Talk about it. A lot. Then talk about it some more.
Communication is the key to change. But it is not simply a case of keeping everyone in the know. While communicating the need for change is a complex skill throughout any change process, the fundamentals are constant: First, be truthful. Be honest with staff how they are going to be affected by this change. Be clear with what new compliance protocol demands from them. Also make the effort to demonstrate to them that you, as the leader, are also 100% invested in making changes to your working practices. In doing so you are signaling that this is a company-wide initiative that is essential to the continued growth of the company. Second, in the right moments, speak personally with people. Reaching out in 1-to-1 situations will add weight to what you say in group meetings. Gain their confidence by giving them your confidence. And third, be timely. While knowing what to say will show that you are methodical, meticulous, and well-prepared, knowing when to say what needs to be said shows an intuition into the needs of your staff as human beings. That is true leadership.
- Nurture change ownership throughout the company.
People make change happen. Without the involvement of everyone in the company, a new compliance initiative will neither be successful nor sustainable. When those involved start to not only think how they can contribute to improving data security, but how their actions can stimulate, spread, and sustain these changes, that is when everyone is truly working toward one compliance goal. Give those around you a vision and watch them realise it. That is the secret to successful and sustainable compliance change.
[su_box title=”About Metacompliance” style=”noise” box_color=”#336588″]
The company has developed a suite of products that can be matched to the information assurance maturity of a customer’s workforce. These products have extensive functionality in the area of Policy Management, Third Party Compliance Management, User Testing and Risk Management. MetaCompliance solutions meet the requirements of all sizes of organisations, in terms of complexity and scale.
Metacompliance is a privately held company that has been well funded to deliver on its business goals. Metacompliance is a software development organisation focused on delivering commercial off the shelf (COTS) software against our extensive product roadmap.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.