Leading by Example
So how can organizations make the shift from creating awareness to tangible behavioral change? Like so many things, culture change has to be led by the top management, says Barsade. “The most important part is that senior leadership and leaders down the organization must enact the values they say are important. They need to really live the culture for it to trickle down.”
Mehta points out that in some organizations data breaches are not reported and senior managers don’t worry. In others, any data breach is reported not only to the security regulator, but all the way to the top management. These behaviors depend on “how top management perceives risks and security threats.” Adds Coles: “Employees are more likely to pay heed to what their bosses say and do, rather than directives from a security person they have never heard of.”
It is also important to ensure that the structure of the organization is aligned with its values. Policy and procedural impediments need to be removed. Two other critical pieces are communication and participation.
Pointing out that people generally tend to hear things differently, Barsade emphasizes that “you really can’t communicate enough in a culture change. You have to keep communicating.” And, while typically it is the top management that decides the principal values, when it comes to executing the change, it is essential to involve people lower down. Metrics and accountability, too, need to be in place, adds Barsade. According to Mehta, business departments must be held accountable for not only executing security initiatives but also for identifying the risks. “It is important to cover the entire lifecycle of a particular function. Ignorance cannot be excused,” he says.
Understanding Mental Models
Coles and Mehta suggest that organizations need to understand the “mental models’’ of their employees, and how they perceive risk and security in order to influence their thinking. “If you can understand what factors different people consider when they think about risks, then you can tailor how you influence their behavior,” Coles explains. “If you focus on what they think is important, then your messages are more likely to be heard and therefore be more effective.”
Mehta adds that messages through examples that can translate from personal lives (backing up pictures and protecting personal banking information) to work life (backing up data or protecting client information) get understood more quickly and easily. “If you can communicate the aspects of risks in a manner that the target audience finds interesting and relevant, they will remember it and follow it.”
Elements of regional and national culture also need to be factored in, especially in the case of large global firms. For instance, in many developing countries, ‘tailgating’ (i.e., following someone closely in a restricted area without authorization) is acceptable, while in the U.S. and Europe, it is not. “Perceptions of risk and security often vary across the world but if the corporate values are clearly defined, then it is more a matter of how you embed the change in different parts of the organization rather than the end culture itself,” says Coles.