One of the main challenges that drew me to Information Security (and management in general) was that of helping to build a working culture that is genuine, sustainable and is aligned to support 'the vision'.
I've had the benefit to have learned directly, and from the experiences of past bosses, leaders and mentors how not to approach cultural change initiatives: Knowing what bad change-approaches looks like, usually without any real clarity around what perfect (or even good!) may be is a useful head-space to occupy.
At least in the absence of knowing what to do, knowing what not to do provides a useful reference point.
I find that this simple psychological tool helps me to sanity check if I'm falling into those past gotchas and traps as shared with me by the wise few who've been there, seen it, burnt that bridge, picked themselves up and started all over. Haven't we all?
The challenge of raising Information Security awareness through driving a working culture change speaks to both the manager, marketeer and technical sides of me. Something we're working to hone at Photobox is to increase our Security awareness through an InfoSec communications practice that ties our Group's photo and personalised products (greetings cards, cushions, t-shirts, gifts and more - you really should check them out, they're awesome) to our cultural Security messaging.
Recognition and reward are important facets of human nature that I believe must always be kept in mind when seeking to drive cultural change within organisations. Whilst I'm sure many of us would love to be paid megabucks and to appear on the front page of Time magazine to celebrate our no-doubt outstanding contributions to industry, this tend to mainly serve the person on the front page; more an ego stroke of one person, rather than mass cultural shift...
Instead I believe that subtle recognition and reward can play an important role in 'infectious' cultural change from within an organisation. For those of you who haven't yet had the chance to see the InfoSec-presenting 'Jedi' that is Thom Langford, he has a killer presentation around awareness that touches upon 'Language, Experience and Choice Architecture' that I encourage you all to see if given the chance at future Security conferences he's presenting at (ask him about the "Janitor and Lipstick on the Mirror" story...)
In terms of reward and recognition, my good friend and inspiring CISO (Patrick Wheeler) famously chose a simple flashlight (and hand-made certificate) to thank and reward a member of his team who had 'saved the day' during a Security incident - presenting it to the member of staff alongside the Exec at an All-Hands sitting. The group-effect of publicly calling-out supportive InfoSec behaviours, and openly recognising and rewarding them had a tremendous effect on how Patrick was able to build out his 'virtual' Security Army. We all know in Security how budgets are tight, our CFO's are under pressure, and how building virtual teams for InfoSec support is essential.
And it is here we arrive at how we're approaching this challenge the 'Photobox way': Our growing Security team (supported by Moonpig's excellent creative designers) have come up with this simple reward mug:
Our first few are rolling out to diligent members of staff who have been going above and beyond the call of duty to report issues, risks and even just the latest fishy phishing attempts.
Now a mug may not be the sexiest of gifts, but it does offer recognition and reward (plus it comes filled with sweets too) increases our Security team's exposure to the wider business - as the mug slowly gets circulated around the offices by our cleaning staff at the end of each day - and promotes our own Group's products in one, simple gesture.
So, it seems that Photobox Group don't only make mugs - they may also produce trophies that affect cultural shifts...
I've had the benefit to have learned directly, and from the experiences of past bosses, leaders and mentors how not to approach cultural change initiatives: Knowing what bad change-approaches looks like, usually without any real clarity around what perfect (or even good!) may be is a useful head-space to occupy.
At least in the absence of knowing what to do, knowing what not to do provides a useful reference point.
I find that this simple psychological tool helps me to sanity check if I'm falling into those past gotchas and traps as shared with me by the wise few who've been there, seen it, burnt that bridge, picked themselves up and started all over. Haven't we all?
The challenge of raising Information Security awareness through driving a working culture change speaks to both the manager, marketeer and technical sides of me. Something we're working to hone at Photobox is to increase our Security awareness through an InfoSec communications practice that ties our Group's photo and personalised products (greetings cards, cushions, t-shirts, gifts and more - you really should check them out, they're awesome) to our cultural Security messaging.
Recognition and reward are important facets of human nature that I believe must always be kept in mind when seeking to drive cultural change within organisations. Whilst I'm sure many of us would love to be paid megabucks and to appear on the front page of Time magazine to celebrate our no-doubt outstanding contributions to industry, this tend to mainly serve the person on the front page; more an ego stroke of one person, rather than mass cultural shift...
Instead I believe that subtle recognition and reward can play an important role in 'infectious' cultural change from within an organisation. For those of you who haven't yet had the chance to see the InfoSec-presenting 'Jedi' that is Thom Langford, he has a killer presentation around awareness that touches upon 'Language, Experience and Choice Architecture' that I encourage you all to see if given the chance at future Security conferences he's presenting at (ask him about the "Janitor and Lipstick on the Mirror" story...)
In terms of reward and recognition, my good friend and inspiring CISO (Patrick Wheeler) famously chose a simple flashlight (and hand-made certificate) to thank and reward a member of his team who had 'saved the day' during a Security incident - presenting it to the member of staff alongside the Exec at an All-Hands sitting. The group-effect of publicly calling-out supportive InfoSec behaviours, and openly recognising and rewarding them had a tremendous effect on how Patrick was able to build out his 'virtual' Security Army. We all know in Security how budgets are tight, our CFO's are under pressure, and how building virtual teams for InfoSec support is essential.
And it is here we arrive at how we're approaching this challenge the 'Photobox way': Our growing Security team (supported by Moonpig's excellent creative designers) have come up with this simple reward mug:
Our first few are rolling out to diligent members of staff who have been going above and beyond the call of duty to report issues, risks and even just the latest fishy phishing attempts.
Now a mug may not be the sexiest of gifts, but it does offer recognition and reward (plus it comes filled with sweets too) increases our Security team's exposure to the wider business - as the mug slowly gets circulated around the offices by our cleaning staff at the end of each day - and promotes our own Group's products in one, simple gesture.
So, it seems that Photobox Group don't only make mugs - they may also produce trophies that affect cultural shifts...
Comments
Post a Comment