The number and severity of information breaches is rising dramatically, compounded by the expansion of social media, mobile devices, and the porous service-delivery architecture of networks. No industry or service sector is immune, including security companies. Sophisticated technologies and layers of defense cannot prevent the willful, neglectful or even unintentional actions of individuals with the capability to bypass these protections. Sadly, these individuals are often trusted staff, not only external hackers.
Numerous IT security studies have shown the significant role of unintentional behavior behind a majority of internal breaches and security incidents. These are unintended or accidental breaches, with no malicious intent on the part of individuals. The root causes are identified as lack of training, failure to follow procedure, and, increasingly, a lack of focused attention. What can be done to turn this around?
Most organizations have mandatory training, policies and procedures, and consequences for data abuse and neglect. Mature organizations also have monitoring systems, as well as compliance or awareness programs. Security best practices are followed, leadership is committed to compliance, and still, trusted team members do unwise things.
Something fundamental is missing.
The traditional goal of security awareness programs is staff compliance. Everyone is expected and required to follow policies, procedures, and organizational principles. The consequences are corrective action and possibly termination. Unfortunately, many traditional training programs fail to address the law of behavioral inertia: Behavior does not change unless it is replaced by another behavior.
Behaviors are learned, acquired and hardwired over years of practice and reinforcement; they become attributes of our persona and part of our character. Changing them is painful. Hundreds of studies have confirmed how difficult it is to change behaviors. Organizations face the added challenge of constrained resources, such as little time and funding for staff development as well as a lack of leadership skills.
Innovative organizations are trying different approaches and techniques that address the root causes of non-compliance. When training, policies and procedures are in place, the remaining gap is "a lack of focused attention." The current business-speak equivalent is "engagement." According to research firm Gallup, engagement is more than a human resources initiative, it is a strategic foundation for the way the best organizations do business.
Author Daniel H. Pink, in "DRiVE: The Surprising Truth About What Motivates Us," highlights the work of several behavioral researchers who have found that motivation in the modern workplace does not mesh with traditional "if-then" reward and punishment-based methodologies. Rather, "intrinsic" motivations like autonomy, mastery and purpose are much more healthy and rewarding for workers, and profitable for organizations. Pink's argument is that intrinsically motivated workers usually achieve more than their reward-seeking counterparts.
About Christopher Paidhrin
TITLE: IT Security Compliance Officer
COMPANY: PeaceHealth Southwest Medical Center
- One-person IT security team at midsize regional health care system with 3,500 employees, 90 IT professionals and 3,500 affiliated clinic workers.
- Provides expert IT security, HIPAA, HITECH Act and health care technology best practices and regulatory guidance to community health care providers in southwest Washington and the Portland-metro area.
- Leader for disaster recovery and business continuity planning for regional public health coalition
- Active participant in Healthcare Information and Management Systems Society (HIMSS) Security Working Group
- Created a Mind Map for IT Service Management (ITSM) to help his IT team and international audiences in understanding the complexities and interrelatedness of IT security service domains.
The customer benefits as well. Intrinsically motivated staff delivers a higher quality of service, and this has a direct correlation to customer satisfaction. For example: In the hotel sector, the research of professors Laurette Dubé and Leo Renaghan confirmed that staff "attentiveness" is the highest priority of guests.
The behavioral compliance challenge can be reduced to replacing unwanted behaviors with desired behaviors, which are "attentiveness" and "engagement." So, how does an organization foster intrinsic motivation? What do attentiveness and engagement mean in the workplace?
Within attention is intention. My definition for staff engagement would be individuals who consistently demonstrate the vision, values and mission of an organization with every action, word and gesture. Staff must internalize and make their own the purpose of the organization. Leadership expectations of staff compliance do not achieve behavioral change; the commitment must come from within each individual. Therefore, leadership's first priority is to strengthen the talent and capacity of intrinsically motivated employees to contribute their attentiveness and engagement to the mission. This is the missing, fundamental element of awareness programs.
Each individual's intention should manifest as a constant thought in his or her consciousness: "What is necessary now, next, and later, and what can I do to fulfill the need and exceed expectations?"
Am I giving my full attention and care to earn the trust of our customers, our patients? Do I demonstrate respect and stewardship by constantly acting with mindful, positive intention? Do I exercise precaution with hardwired attentiveness that recognizes potential harm before I take action or speak? Am I adding lasting value through my service, behaviors, and accountability to ensure good outcomes?
These then are the attitudes and behaviors all organizations would foster to ensure productive and motivated staff, and achieve service excellence. Either the workforce is actively supportive of an organization's purpose or it presents a persistent risk to its success. Either the workplace culture reinforces these desired behaviors or it doesn't.
Leaders, too, must be accountable. Leadership must refocus awareness programs to engage staff in shared ownership of the organization's mission. Leaders must be role models for the desired behaviors. Positive feedback, respect, pride of success, and joy of service for a higher purpose all strengthen a healthy workplace culture. Engaged workers thrive in environments of common vision, principles, and values.
This idea is not simply high-minded philosophy. All organizations have IT security and privacy concerns. How each organization meets the challenges of these concerns has a direct impact on both the quality of service and growth of the organization.
At PeaceHealth Southwest Medical Center, our dedicated team has been maturing our engagement efforts with what I call "Awareness In Depth." This is a layered approach to information security and privacy as well as staff engagement, which reinforces our culture of respect, stewardship, collaboration, and social justice. The principles and methodologies include:
- Multiple applicant screening criteria, to assure a strong "fit."
- Rigorous interviewing processes. Select, don't hire; each team member represents the organization.
- New employee orientation.
- Confidentiality and privacy agreements, signed upon hire and each year during review.
- Policies, procedures, and processes, including appropriate use and access monitoring.
- Departmental and computer-based training; building relationships and fostering talent.
- Annual, mandatory, Web-based training modules: IT security, privacy, ethics, and appropriate use. Behaviors, even good ones, need positive reinforcement through repetition of values.
- Annual "MUMs the Word" campaign. For more than 20 years, long before HIPAA, PeaceHealth Southwest Medical Center has embraced our nationally recognized campaign of privacy and security awareness. This organization-wide annual event is a measure of commitment to a cultural behavior that we protect the information of our patients as if it were our own.
- Building trust, respect, stewardship, collaboration, and social justice.
- A culture of caring and excellence.
There is no universal agreement between theories of behavioral change, but there is broad business consensus that changes within the workplace are necessary if we are to protect information, assets, reputations, and organizational value. When behaviors are changed, each individual will be engaged and attentive, aligning him or herself with a shared purpose, as a representative of the organization, its culture, mission, vision, and values. Every customer, patient or guest should take with them a positive and memorable experience from every contact with each staff member who has earned their loyalty and trust.
The Security 7 Awards recognize the efforts, achievements and contributions of practitioners in the financial services/banking, telecommunications, manufacturing, retail, government/public sector/non-profit, education and health care/pharmaceutical industries. Click here to learn more about the Security 7 Awards and to see a list of all the winners.