If the pandemic has taught us anything, it is that change to any organization’s security culture is essential if we are to adapt to the “new normal.”
With the increase in working-from-home arrangements, we are putting our employees out on the front line without the safety of the office and its IT staff to protect them. This introduces new risks which were previously covered by traditional security controls and mitigations. They were easy to manage in an office environment but are completely circumvented in today’s world.
And the drive towards zero trust has suddenly become more challenging as the reliance for security falls more on the individual at home.
I would like to believe that we, at Kurtosys, are quite responsive to these changes. But, despite our willingness to adapt, I had to learn many new lessons on facilitating change.
So how does this relate to dog training? Allow me to explain…
I have two beautiful Labrador Retrievers, both whom I have trained up to working gun dog standards. During my time training dogs, I have come to see similarities between teaching animals and changing an organization’s security culture.
So, here are my top 5 tips to facilitating change through the eyes of a dog trainer. Hopefully, they will help you, be it to train your trusty Fido… or change your company’s security culture:
1. Change is voluntary
You cannot train an animal using force. You might be able to mask a dog’s behavior using punishment but try that when training an Orca to jump though a hoop. I do not think you will win that argument with force!
It is the same with people: you can try to beat them in to submission using policy and threats, but all you will do is end up masking bad behaviors. Force only ruins relationships. They must want to change.
2. Be consistent
As much as I love my dogs, I must admit that they are a bit simple. If you teach them the word “sit,” you always need to use that word. You cannot use “sit” one day and “sit-down” on the next. The dog will not understand what you are asking it to do.
Although people are far more capable than dogs, consistency is still vital if you want a group of people to perform in a predictable manner.
As an example, if your policy states that removable media is not allowed, then it must be communicated through the ranks with no exception. Allowing exceptions will send the wrong message and give people the impression that it is fine to ignore policy if they have a good reason.
3. Be patient & repeat the message
If you have ever owned a dog that pulls on the lead, or jumps up on people, then you know that it takes a lot of training and patience to correct these behaviors. The best way to prevent a dog from pulling is to simply stop in your tracks. The animal will eventually learn that bad behavior (i.e., pulling) means that we cannot move forward, which is where the dog wants to go. It takes LOTS of repetition before Fido eventually “gets” it.
Similarly, if you want people to understand what to do, you need to educate them and repeat the message. That is why we run regular internal phishing and social engineering exercises which are always followed up with a training session for those unlucky few who get caught. Thus far our results show that there is a massive improvement in staff engagement and response because we repeat the message on a regular basis.
4. Manage your expectations
I cannot count the number of times that I have seen people get frustrated at their dogs when they do not listen. The dog is not ignoring them on purpose. They do not understand what is being asked of them in the current situation. Fido may well sit nicely when asked at home but forget about it when he is out in the field – there are too many, nicer, distractions!
The frustration comes from the handler who is simply expecting too much from poor Fido. The command has not been re-enforced enough for the dog to understand that he needs to do it no matter where he is.
Likewise, you cannot ask an organization to comply with new policies and expect it to be adhered to immediately. It does not help getting frustrated at Bob in Accounts whenever he fails to correctly report a SPAM message, despite all the training you have provided. He simply forgot. Instead of getting frustrated, adjust your expectations based on people’s experience. Guide Bob.
5. Set them up for success
Dogs learn better through successes than failures. That is why it is critical to set them up for success. When you train a dog in a new behavior, you do so in an environment free of distraction. By doing so you are making it easier for him to succeed and remember the new command. You are, in effect, managing his environment to guarantee success.
The same can be done for people. Set them up for success by managing their environment. Give them the tools to make it easy for them to succeed.
As an example: instead of reprimanding people for sharing credentials or confidential information, offer them alternatives that make it easier for them to do so, but in a secure manner. Tools like password managers might fill that gap.
Now go on, try these tips and let us know if they made a difference. Or do you perhaps have any tips you’d like to share with us?