Security leaders often lack the authority to force people to change, even with the support of business leaders in a position to compel people to act.
Instead, we need to rely on influence instead of resorting to force. Force is not only the failure of influence, but it builds friction that erodes value, destroys trust and burns people out.
Influencing without authority is hard to get right because we need to understand the impact of our change, clarify what we want people to do, and make it easier for them to comply.
Take multi-factor authentication (MFA) as an example. We know MFA is important for building resistance to account takeovers, ransomware and other attacks. While it might seem straightforward and easy to those in security and technology, there are many people who have never heard of MFA, don’t understand why it matters and are reluctant to change how they do things.
It takes a lot of work to influence people to change. A good first step offers people a map to explain what we expect, why it matters and how people can make the change. This is powerful when you connect to something they already want to do.
You don’t need to do all the work yourself.
Ask the people affected by the change to help review and improve your plan to get better results.
I recently helped a client use influence instead of force for their MFA program. After 18 months, the biggest success for the program was forcing the technology staff to implement MFA while creating confusion and resistance across the balance of the organization.
We started by engaging the field to better understand their situation and how they would approach getting people to use MFA. We reached out to Jesse (not her real name), the global technical site lead, to learn from her experience.
We turned our notes and collective insights of the group into a hand-sketch plan to show the various coordinated ways we proposed to ease MFA adoption. Sharing the visual approach with Jesse and Peter (not his real name), the site lead, sparked a lively collaboration.
We got an immediate benefit when, to our surprise, they told us there was no value in creating a train-the-trainer program. They also nixed the idea of recruiting technical influencers on each site to champion the effort. Based on what we proposed, they highlighted two key areas to focus on and suggested we develop a single page, jargon-free overview to share with employees. Then they laid out precisely what to include and how to explain the what, why and how.
Near the end of the meeting, Jesse and Peter thanked us. Most people just resort to force, making their jobs harder. This approach allows them to build stronger relationships with local site leadership. They were eager to help and prove this model worked, so other people could follow it in the future. They even showed us how to scale the model to other sites in record time.
Recognize the desire to use force as a failure of influence. Use it as a signal to reconsider your approach.
We engaged others eager to help us build a program they were excited to champion without the need to rely on force. When you engage the people affected by a security change and ask them to help build the right plan, you get better results with less friction.