Changing Outcomes or Changing Identity?

Changing Outcomes or Changing Identity (1)

Changing behaviour to build a better, more security aware workforce.

There is currently a great deal of discussion about how we, as a security profession, should approach the ‘Great Cyber Culture Change’. It is well-known that you cannot become more secure simply by attending a training course. The changes need to be made at a grass roots level, to attain a changed approach to cyber in everyday life, both personal and working.

I, like many of you I would imagine, struggle to get my kids to keep their bedrooms clean, or even liveable sometimes! But that is because I am focussing on the outcome of having a clean room when I should be helping change the habits and behaviours that lead to them making their rooms resemble a war zone. And there lies the difference between a change in goal versus a change in habit. This is very clearly defined in the book ‘Atomic Habits’ by James Clear. In the book, James defines the major difference between the three layers of behaviour change:

  1. Making a change in the desired outcome (what you want to get)
  2. Changing the process which leads to the outcome (what you do to get it)
  3. Changing your identity (what you believe in order to identify the outcome needed)

Going back to my kids’ messy rooms. I am working with them to understand the need to put their clothes straight into the laundry basket rather than on their bed or the floor. That change in their process achieves a small change in the desired outcome, a tidy and cleaner bedrooms.

This type of small change can be built into workforce behaviour that, by its implementation, will lead to a desired outcome, namely a safe and secure environment. We have already done this in the world of OT but we did it to achieve safety rather than security. Now, we need to adapt it to build a change in culture to achieve security. If we can switch this process from ‘outcome-based habits’ to ‘identity-based habits’ we can start changing the workforce so they properly understand how the changes build on who they can be, from a security perspective. We don’t need everyone to be a security professional, we just all need to better understand how security is an intrinsic part of everyone’s role.

Of course, not everyone believes that they are a part of the security mechanism (we have all had the discussion with someone who believes that security is done by the security team!) So, the best way of changing the outcome is to change the behaviour that got you there in the first place. James Clear says in the book ‘… you may want better health, but if you continue to prioritise comfort over accomplishment, you’ll be drawn to relaxing rather than training.

Once we can change the way that security is seen by the entire workforce and the fact that it doesn’t conflict with day-to-day work, we can start to change the identity which will lead to the desired outcome, a secure environment. Good security habits make sense but if they conflict with existing workforce identities and processes, they will fail because the belief is that ‘this isn’t who they are’. Some of these identities have formed over many years so change may be difficult to accept, especially with those who have carried out the same tasks for many years. Therefore, these changes need to be clearly defined in the ways it benefits the individual as well as the organisation. That way, we can start to change the cyber culture and behaviour which, in turn, leads to a more secure workplace.

Author: Tim Harwood, Siker CEO