Why cybersecurity is a Change to most business employees
More than security awareness and training
According to ISACA, awareness and training would best reduce the frequency of phishing attacks, from succeeding in an organization. Employee awareness and training is the best method to prevent employees from becoming victims of a phishing attack.
When you think about all the ways people need to change, as a result of cyber-attacks, it can be mind-boggling. But not if you’re already in information security or technology. Or work for a technology company. Then — it’s just natural. MFA, password managers, thinking critically before clicking on a link (even then a lot of us, myself included, can and will get caught to this — they’re just that good these days). You make adjustments to your daily work routine, to accommodate the additional processes, because you are aware of, and understand, and agree with, the reasons for such additional processes. For such change.
That’s not the case if you’re on the business, if you’re a business employee or you work for a business.
For business employees, MFA might get confused with Mixed Martial Arts (MMA), password managers might be literally a guy you go to, to manage your passwords, and thinking critically before clicking on a link — might come off as extremely condescending. So making even more adjustments to an already packed daily work routine, to accommodate processes they are not aware of, do not understand, and definitely do not agree with because it adds even more complexity to their day?
Probably not going to happen.
PROSCI has an article titled Build Sponsor Desire for (People) Change Management by Tapping Into Beliefs. And in it, Ian Croft does a beautiful job explaining something called the Neurological Levels framework:
“All people have belief systems. They’re part of the Neurological Levels framework created by Robert Dilts, which help you understand how people view and interpret situations. The levels appear in a pyramid or hierarchy, with each level impacting and relating to those below it.”

I’m going to focus on two concepts Ian discusses here. Capability, and beliefs.
Ian states:
“…values and beliefs give you the Capabilities either to do something or not do something. An empowering belief gives you the capability to do it. A disempowering belief stops you being able to demonstrate that capability.”
Ian goes on to say:
“During…change, a person will say, “I (identity) can (the belief and value) do (the capability) X (the behavior you want me to exhibit) here (the environment it needs to happen in). This translates into “I can do X here” or “I cannot do X here” as you come down the triangle, and the can or cannot is determined by the beliefs you have around yourself.”
If we go back to cybersecurity as a change for business employees, this might translate to: “I can incorporate the additional steps needed to do MFA every time I log in, because I totally get why it’s important and how much I can protect the company by doing so. I’ll understand that it does add a few steps to my day but ultimately it help protects myself and the company…and my job…in the future. I might struggle a little at first with getting all the new steps right but eventually I will and I know this is important to me and my job.”
Typically though — you will not be able to tell them this. They will have to tell themselves this. And they can only do so, once they’ve become aware of the benefit of the change to them (i.e. job security). And not in a threatening manner either (better do this or else your job is on the line). More — this important to the future of our company. It helps to protect us from million dollar ransomwares, of which if we ever had one, we might have to declare bankruptcy.
Think benefit, not consequences. Think kindness and empathy, not frustration and threats.
These employees are much like you. They have families at home. A loved one. Hobbies they enjoy. And stresses at work. Things going on at home you don’t know about. They don’t understand all of the in’s and out’s of information security, likely never will, and probably don’t even want to. In much the same way you might not want to learn everything about marketing, communications, human resources, and strategy.
So be kind to your business peers. Work to develop strong working relationships with them. So they can help you protect your organization from cyber attacks.
And so you can see what a Change cybersecurity is for them.
Happy leadership.