I love how the legal community has rallied around the need to address security issues in their firms. Discussions around security are happening at all levels of firms in ways that haven't been seen in years! The attendance and participation in the 2015 LegalSEC Summit is evidence that law firms are continuing to step up their security efforts in the face of an ever-changing world of threats and security land mines. Great technology solutions are being introduced. New safer and more secure processes, procedures, and policies are showing up in firms at unprecedented rates. Leadership of firms has come around to see this as a business need. While all of this is fantastic, we can never lose sight of the fact that people are our biggest asset AND still our biggest area of potential exposure and risk. Rather than writing this off as a given that we can't address, we need to dig into this issue and find a way to stop the bleeding.
So, how do we reach people? How can we communicate with people in such a way as to have the best chance of getting through to them? How do we get people to the point where they’re willing to adopt changes in their daily workflows because they understand that it's the right thing to do? I'm glad you asked! There are great creative approaches, tools, and guidelines available, but here's a simple yet important element that can't be overlooked …It Takes a Village! (I know, it's a bit of a tired cliché but that's how I roll)
There’s no one-size-fits-all approach to communicating security awareness to your people. So the challenge is to strategize how to make the topic relevant to EVERYONE … INDIVIDUALLY! This takes planning and a "village-style" approach.
The Law Firm organizational structure and culture creates a challenge for change. In many cases, it’s a flat organizational structure with multiple partners. It’s also a culture of deep rooted traditions and values. While this is a difficult environment to implement necessary changes in security, it’s not impossible. In fact, this type of environment reinforces the need for the change management methodology we’ve built into the OnGuard Security Awareness Program planning. The goal is to reach INDIVIDUALS. We can't just send out a message from "on-high" and expect everyone to follow it blindly. That message is very important but it's not enough.
Getting the message closer to home
The onus of responsibility falls on us when rolling out security awareness to make it matter and to make it relevant. What matters to some may not matter to others. A discourse with a partner will be an entirely different conversation than a dialogue with a secretary or administrative employee. What resonates with me may not resonate with you. We need to evaluate what resonates with each type of person in your firm and engage the right people to communicate the message. In this way, you have the best chance of getting each person to recognize their own personal responsibility in these security efforts. To make it personal requires us to enlist and engage more than just top level leadership in the process. For examples of how to make the message personal, read Julia Montgomery’s recent blog post, Information Security: It’s Personal. You can also read more of my blog posts for the reasons behind why messaging Security Awareness is important… read, Trust Matters, and Security: What You Do Matters… Yes, Even You!
IF we don't reach everyone in such a way that it matters to them, we'll never have the cultural change we need. Without context, people will continue to see security initiatives as just an impediment to getting their work done. Without context, people will continue to find ways around our security procedures, practices, and protocols in favor of simpler and more convenient ways of getting their work done. Context varies by title, role, and responsibility so the message can't just come from one source.
All Hands on Deck
To reach everyone, top level leadership is critical but not the only voice needed. We must involve and activate all direct level supervisors and other key influencers to join in the effort. Individuals want to hear from the top about firm initiatives, but need to hear from direct influencers closer to where they live and work to answer the questions, "does this apply to me?" and "how does it impact me directly?"