The need to bring people with you in any change process is always considered as a paramount task. In cyber security the importance of people as both a defence and an attack goes even further. When properly engaged, the organisation has a built in resource that is already working for you.
The challenge for Leaders is to make sure that people are focused and that they know what they are involved in and what they are looking for. Sounds simple. Think about projects and programmes that you have been involved in as a manager or participant. Resistance is often rife.
Culture will drive the speed at which things happen. An organisation that has invested in communications and believes in positive employee relations can move faster than those who have not.
People however, are inclined to fall into one of three groups. Those who are interested and will go with the new programme. These people are sometimes referred to as ‘Disciples.’ They are few in number. They get the message and are able to communicate it. They will advocate for the cause when they understand it. Hopefully some of this group are managers but it is not always the case. They can make good project managers, facilitators or trainers once their awareness is raised.
The majority of people fall into a ‘Middle Majority’ group. Often times, they are frozen; don’t know and don’t care about the programme. They are waiting to be engaged and to be convinced that they should participate. Their behaviour can be frustrating for the ’Disciples.’ Communication plans and awareness training are needed to inform and educate. Anticipating that the middle group are not enthusiastic, helps the planning process. Most of the energy required to bring about the change, needs to be expended with this group.
The last group is known as the ‘Devils.’ They are another minority who see their job as resistance, preventing change, maintaining the status quo. They are often articulate and used to presenting an argument that cogent. Sometimes, they are referred to as ‘Devil’s Advocates.’ They will spend inordinate amounts of time, arguing with you and colleagues to ‘better understand’ what this is all about. All delaying tactics that are deployed to prove something that only he understands. The best advice given about this type of person is to ignore them and wait until the Middle Majority overwhelms with new knowledge and skills to effectively deal with the problems. If the Devil happens to be a manager, then rally the management team to deal with the objections. Don’t take it personally.
When managing a cyber programme, we have some useful information about behaviours that would be useful in the ‘Disciple Group’ namely:
- Adaptability
- Compliance
- Dependability
- Energy
- Learning orientation
- Organisation
- Resilience
These behaviours when combined with an ability to detect errors and match patterns, provide the right mindset needed for problem solving cyber issues. This suggests that not every employee is the right candidate for cyber work. Cyber awareness training is a good place to start looking for recruits. Providing cyber skills beyond awareness is helpful and financially a cost saving. It now looks like all organisations will set up a cyber structure that supports future digitalisation and the continuous flow of attacks.
Remember, Nobody is safe – accepting this position, provides the opportunity to accept the need for better understanding of the best resource we have to tackle cyber-attacks – our people.