Leadership, Vulnerability Management

How security teams can encourage people to act on requests

Group of corporate people hiding faces behind speech bubbles
Security messages often read like corporate missives, says leadership columnist Michael Santarcangelo. (Prostock-Studio/iStock via Getty Images)

Security leaders increasingly need to influence people we cannot compel directly to take actions we deem beneficial for everyone. Unfortunately, a lot of our efforts to influence without authority fall flat and even feel like people purposefully avoid action instead of just doing what we considered a simple ask.

The reality is we need to take a different approach to connect with people while making it easier for them to act. Or, as Larry (not his real name) recently explained,

“Well, your messages make people look for the ‘leave me alone’ button.”

That little gem came when helping an identity team diagnose why their efforts to get people to adopt a new MFA client just weren’t working. I pointed out the need to focus more on influence and suggested we speak with a technical site lead, since they had a better understanding of life at the site.

Not only was Larry receptive, he explained why the previous attempts didn’t work and laid out the plan for success in about 30 minutes.

Why people look for the 'leave me alone' button

Larry explained that the messages the identity team used read like typical corporate missives that demand confusing actions with little clarity or guidance. These messages fall flat because they use words and language that most people don’t use. These messages get interpreted as idle threats, ignored until the nagging increases or they get told by their boss to act.

The common response to these messages is to look for the button to leave them alone, so they can focus on their jobs. After all, that’s what they get paid for, and it’s where they feel the most pressure to perform.

If we consider their perspective, it makes sense. Resorting to force just signals failure of influence and jacks up friction.

So we asked for help from Larry, a local site lead.

Use connection to build connection

As a technical lead embedded into a non-corporate site, Larry connected corporate IT with the site, including leadership. Larry had a sense of what worked and what just made things worse.

When we met with Larry, we started by explaining the problem we were trying to solve. Here, it was moving people to a specific authentication application instead of using the phone or nothing at all.

Then we asked how he would solve it and listened.

He started by explaining that we needed to strip away the jargon and keep it simple. Then he amazed us by offering to own it locally and help us reach the goal. He explained that he already had the right relationships — and this would allow him to build on them.

Naturally, we accepted his offer of help.

Answer 3 questions to avoid people looking for the ‘leave me alone button’

On a roll, Larry explained we needed a one-page overview — one side of one page — that was simple and clear, and free of jargon available in print and as a PDF. He asked us to answer three questions:

  1. What we are asking people to do?
  2. Why we’re asking them to do it?
  3. How do they need to do it?

Then Larry really shined and essentially wrote the one-page during the call. What surprised me was the importance of explaining and using security as the why. He told us that security was important enough at the site, that it would resonate with people instead of making it a corporate task, or some sort of demand that tying it to the importance of security would be enough for most people to comply.

Invest the time to make it easy

The last gem we learned from Larry was the importance of adding a prominent QR code to link people to a short video and additional information if they wanted it. While I bristled internally at the thought of using QR codes, I embraced the advice.

The take away is the importance of making it easy for people to comply with your request. Once you explain what, why, and how — in that order — make it easier to take action than ignore the message.

Michael Santarcangelo

Michael Santacangelo is the founder of SecurityCatalyst.com, author of Into the Breach, and creator of the leadership-driven Straight Talk Framework – with our favorite question, “What problem are you trying to solve?”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.