Ever wonder why cybersecurity is so hard for people to get right? And, why are cybersecurity leaders failing to convince people to work more securely? We can learn some great lessons by studying the spread of medical and other technologies and then apply those lessons to cybersecurity technologies we know make a difference, such as password managers.
For example, anesthesia (specifically, chloroform) was in world-wide use less than a year from its introduction in 1846. In contrast, antiseptics, which were promoted in the 1860s, took over twenty years to become established in most operating rooms. Why the difference?
Here’s why: The spread of all new ideas about what’s good and how things should be is dependent on people talking to each other. Everett Rogers, who is best known for introducing the term early adopter, tells us that “Every change requires effort, and the decision to make that effort is a social process.” In other words, new ideas are spread and adopted primarily through relationships.
I’ve learned this lesson the hard way. Only after wasting $30,000 of my budget and a good chunk of political capital trying to implement a new, homegrown cybersecurity tool did I realize my lack of the right relationships had doomed me almost from the start. Based on what I learned from my failure, I take a drastically different approach to introducing change these days. My approach is more relationship-driven, which is what you should do as well, so that your change efforts will be more successful.
Back to anesthesia versus antiseptics. The New Yorker published an article by Atul Gawande: Slow Ideas. You may remember one of his well-received books, The Checklist Manifesto. (Save yourself some time and money: read the article upon which the book was based.)
Slow Ideas describes and promotes Atul’s Better Birth project. It’s an experimental approach to reducing the rate of death among mothers and babies during and shortly after childbirth in poorer countries. And, along the way, Atul also answers the question about anesthesia versus antiseptics.
It’s a fascinating story that’s well worth reading on it’s own merits. But it also provides keen insight on the struggle to create new norms, which any cybersecurity leader looking to promote change should appreciate.
From reading Dr. Gawande’s article, I’ve identified four reasons why you should lead all your change efforts by first using your relationships:
- Technology alone won’t get the job done. Dr. Gawande describes seeing unused incubators pushed into dark corners, broken due to lack of spare parts or switched off due to a lack of electricity. As technologically advanced as the units were, dropping them off in underdeveloped countries and then making no arrangements for integrating them into local life speaks to the lack of relationships.
- Requests, incentives, and penalties only work up to a point. Merely requesting a change will win over a certain percentage of the audience, but probably not as many as you wanted. Studying the tax code of any country will reveal incentives are hard to get right. People have a way of maximizing incentives for themselves, often to the detriment of the stated goals, and in ways the authors never imagined.
- Research has shown relationships are the most effective way to bring about change. We can introduce a new idea to people. But, people follow the lead of other people they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the decision to make that effort is a social process.”
- Real-world experiences. In his article, Dr. Gawande tells a story about how drug makers persuade stubborn doctors to prescribe new medicines: “Evidence is not remotely enough, however strong a case you may have. You must also apply ‘the rule of seven touches.’ Personally ‘touch’ the doctors seven times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human interaction is the key force in overcoming resistance and speeding change.”
I encourage you to read the article for yourself. It’s persuasive and very inspirational. And, you’ll find out why anesthesia got into the operating room faster than antiseptics.
Have I convinced you that relationships are the best method for improving cybersecurity? If not, why not? Do you know a better way?
Please note: I reserve the right to delete comments that are offensive or off-topic.