Getting people to support security change is an ongoing challenge. Forcing people to comply might seem like the right approach, but seldom works and creates a lot of friction that bites us later. A better approach enlists the help of influential leaders to create soft pressure for their teams.
Influencing without authority seems daunting when we think we have to reach everyone.
Instead of trying to influence everyone, focus on getting the leader (and possibly the leadership team) of the site or group to champion the change. Then support them as they create soft pressure by asking their direct reports to comply — and then asking their direct reports to do the same.
Soft pressure is a top-down approach that blends a clear expectation with a specific ask coming from direct supervisors. People pay more attention to the messages and requests of their direct supervisor.
Here’s how this works in practice. I’ve written recently about helping the organization improve adoption of multi-factor authentication outside of the technical organization. They tried to force compliance, and it failed. That drove them to explore ways to influence without authority.
We started with the local technical leadership of a larger site because they understood our project goals and the site leadership. They got excited during the initial call, eager to try a different approach. They asked to handle getting support from the site leader and his direct reports to strengthen their relationship and reduce the workload on our team. It also makes it easier to scale the program to future sites.
The key to using soft pressure is supporting the leader in making the request and make it easy for the folks complying with the ask.
The local technical leads explained and outlined precisely what they needed. We collaborated on a single page, front-side only, document that explained what we needed, why it mattered, and how to comply. We used simple language free of jargon and even included a QR code to a video to walk people through the setup process.
We used the same single sheet of paper to support the site leadership team. The process was a lot easier than we expected and took a lot less effort on our part to support the site. This freed us up to focus on how to scale the program and handle other tasks.
The tradeoff is that creating and using soft pressure takes time.
Once the leader sets expectations and makes the initial asks, it takes time for the direct request to work through the organizational tree. Longer when you include shift-work, time off, and other scheduling nuances.
The best thing that we can do is exhibit patience and gratitude. But there’s one more thing that we’ll talk about, too, and that’s keeping score. We’ll cover that in the next column.
Use soft pressure to learn how to build relationships to help drive security improvement without creating more friction and free yourself to solve more of the right problems to deliver value faster.