Ever won­der why cyber­se­cu­ri­ty is so hard for peo­ple to get right? And, why are cyber­se­cu­ri­ty lead­ers fail­ing to con­vince peo­ple to work more secure­ly? We can learn some great lessons by study­ing the spread of med­ical and oth­er tech­nolo­gies and then apply those lessons to cyber­se­cu­ri­ty tech­nolo­gies we know make a dif­fer­ence, such as pass­word man­agers.

For exam­ple, anes­the­sia (specif­i­cal­ly, chlo­ro­form) was in world-wide use less than a year from its intro­duc­tion in 1846. In con­trast, anti­sep­tics, which were pro­mot­ed in the 1860s, took over twen­ty years to become estab­lished in most oper­at­ing rooms. Why the dif­fer­ence?

Dr. Atul Gawande: “We yearn for fric­tion­less, tech­no­log­i­cal solu­tions. But peo­ple talk­ing to peo­ple is still the way that norms and stan­dards change.”

Here’s why: The spread of all new ideas about what’s good and how things should be is depen­dent on peo­ple talk­ing to each oth­er. Everett Rogers, who is best known for intro­duc­ing the term ear­ly adopter, tells us that “Every change requires effort, and the deci­sion to make that effort is a social process.” In oth­er words, new ideas are spread and adopt­ed pri­mar­i­ly through rela­tion­ships.

I’ve learned this les­son the hard way. Only after wast­ing $30,000 of my bud­get and a good chunk of polit­i­cal cap­i­tal try­ing to imple­ment a new, home­grown cyber­se­cu­ri­ty tool did I real­ize my lack of the right rela­tion­ships had doomed me almost from the start. Based on what I learned from my fail­ure, I take a dras­ti­cal­ly dif­fer­ent approach to intro­duc­ing change these days. My approach is more rela­tion­ship-dri­ven, which is what you should do as well, so that your change efforts will be more suc­cess­ful.

Back to anes­the­sia ver­sus anti­sep­tics. The New York­er pub­lished an arti­cle by Atul Gawande: Slow Ideas. You may remem­ber one of his well-received books, The Check­list Man­i­festo. (Save your­self some time and mon­ey: read the arti­cle upon which the book was based.)

Slow Ideas describes and pro­motes Atul’s Bet­ter Birth project. It’s an exper­i­men­tal approach to reduc­ing the rate of death among moth­ers and babies dur­ing and short­ly after child­birth in poor­er coun­tries. And, along the way, Atul also answers the ques­tion about anes­the­sia ver­sus anti­sep­tics.

It’s a fas­ci­nat­ing sto­ry that’s well worth read­ing on it’s own mer­its. But it also pro­vides keen insight on the strug­gle to cre­ate new norms, which any cyber­se­cu­ri­ty leader look­ing to pro­mote change should appre­ci­ate.

From read­ing Dr. Gawande’s arti­cle, I’ve iden­ti­fied four rea­sons why you should lead all your change efforts by first using your rela­tion­ships:

1. Tech­nol­o­gy alone won’t get the job done. Dr. Gawande describes see­ing unused incu­ba­tors pushed into dark cor­ners, bro­ken due to lack of spare parts or switched off due to a lack of elec­tric­i­ty. As tech­no­log­i­cal­ly advanced as the units were, drop­ping them off in under­de­vel­oped coun­tries and then mak­ing no arrange­ments for inte­grat­ing them into local life speaks to the lack of rela­tion­ships.
2. Requests, incen­tives, and penal­ties only work up to a point. Mere­ly request­ing a change will win over a cer­tain per­cent­age of the audi­ence, but prob­a­bly not as many as you want­ed. Study­ing the tax code of any coun­try will reveal incen­tives are hard to get right. Peo­ple have a way of max­i­miz­ing incen­tives for them­selves, often to the detri­ment of the stat­ed goals, and in ways the authors nev­er imag­ined.
3. Research has shown rela­tion­ships are the most effec­tive way to bring about change. We can intro­duce a new idea to peo­ple. But, peo­ple fol­low the lead of oth­er peo­ple they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the deci­sion to make that effort is a social process.”
4. Real-world expe­ri­ences. In his arti­cle, Dr. Gawande tells a sto­ry about how drug mak­ers per­suade stub­born doc­tors to pre­scribe new med­i­cines: “Evi­dence is not remote­ly enough, how­ev­er strong a case you may have. You must also apply ‘the rule of sev­en touch­es.’ Per­son­al­ly ‘touch’ the doc­tors sev­en times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human inter­ac­tion is the key force in over­com­ing resis­tance and speed­ing change.”

I encour­age you to read the arti­cle for your­self. It’s per­sua­sive and very inspi­ra­tional. And, you’ll find out why anes­the­sia got into the oper­at­ing room faster than anti­sep­tics.

Have I con­vinced you that rela­tion­ships are the best method for improv­ing cyber­se­cu­ri­ty? If not, why not? Do you know a bet­ter way?