Saturday, February 02, 2008

Information Security Requires Changing Minds

It is a well documented fact that for most organizations, compliance with information security policies is a largely voluntary activity. The only way to consistently advance security is through the active support of the groups that the security organization is responsible to protect.

Everyone recognizes the need for "buy-in," but few articulate where to get it, and more importantly, how to sustain it. This is what makes Howard Gardner's book, Changing Minds, so essential for policy, governance and security practitioners. Many authors have taken on aspects of this subject, from How to Win Friends and Influence People [Carnegie] to Execution: The Discipline of Getting Things Done, [Bossidy and Charan]. But typically, they look at the techniques of successful change instead of the fundamental elements these techniques address. Bossidy and Charan argue "You cannot have an execution culture without robust dialogue...robust dialogue starts when people go in with open minds...[and]...ends with closure...people agree about what each person has to do and when." [pp.102-103] If you start with an open minded group, good for you. But what if they're not open minded, and they don't report to you?

Gardner, who is a psychologist - not a CEO or CSO, doesn't presuppose a particular starting point. Instead, he identifies the contents of the mind, the forms that this content can take, the levers which influence mind change, and the differences across various types of audiences where this change occurs.

As an example, several years ago I had a role that depended on a strong working partnership with a department that was in the process of being eliminated from the company. This team had a number of operational responsibilities that made it a likely target for attempts to access sensitive company information, and seemed highly vulnerable due to morale and turnover issues. Thankfully, the team had exceptional management and was highly professional, and was willing to look at its role beyond the soon to be ending tasks. Through a combination of education about the threats, specific training to combat likely forms of attack, and a modest reward system for successfully responding to suspicious events, I supported the process of helping the group change the view of its role in the company, add new skills, and make a significant impact during a critical transition period.

At the time I wasn't really aware of all of the "moving parts" that made that story a success. But Changing Minds provides the tools for analyzing, and (hopefully) duplicating such outcomes. In this situation the team represented a relatively uniform population with a common set of concepts and skills, but with a rather discouraging story, i.e. "our group is about to be phased out." Through a combination of reason and research with a new story that resonated, supported with training and rewards, the low resistance of the group was overcome and the team executed their new skills very effectively.

Gardner identifies six audiences for mind changing, four categories of mental "content," nine forms this content can take, and seven levers that affect the outcome.

Starting with the audiences, ranging from addressing a nation to just one individual, or even oneself, Changing Minds gives a rich set of case studies for each:
1. Leading a Diverse Population. Changing the minds of a nation, examined through the experience of Margaret Thatcher.
2. Leading an Institution. Gardner looks at James O. Freedman's experience at Dartmouth. A reading of "Building Block Two: Creating the Framework for Cultural Change" in Execution provides intriguing parallels in a corporate context.
3. Changing minds indirectly. The role of science, scholarship and the arts.
4. Mind changing in a formal setting. This goes beyond the one-way transfer of information and assumes an interactive process of discovery and response: "consider...entrenched views...and the ways in which these views might profitably be reformulated..." [p. 145]
5. Mind changing up close. One on one.
6. Changing One's Own Mind.

Changing Minds lists four specific categories of content that is the focus of change efforts: concepts, stories, theories and skills.

Concepts are the most elementary building block; for information security, defense in depth, principle of least privilege, and “need-to-know” would represent fundamental concepts.

Stories are another fundamental category. Thatcher’s story was straightforward, easy to understand and resonated with her audience of the time: “Britain has lost its way.” When discussing levers of change, stories and their “counter-stories” form a critical battleground where change agents directly engage resistances.

Theories represent relatively formal explanations of processes; X causes Y. They can be based on facts, true or false assumptions, and personal or educational experiences. Again, in the security realm, theories could include the view that: ‘most successful attackers are: insiders / outsiders … most attacks are purely technical / involve some degree of social engineering…’

The last category of content is skills. Skills are made up of the practices of which an individual is capable. Gardner argues that when a practitioner fundamentally changes their approach to a task, this represents a significant change in mind.

He further points out that while all minds share similar types of content, this content can differ significantly in form. Drawing on the theory of multiple intelligences, these forms are described as either object-based or symbol based, with a key takeaway being that people differ in their ability and willingness to absorb content based on its form of presentation.

Mind changing is most effective when resistances are low, and the other six levers, each beginning with re-, work in concert. They are: reason, research, resonance, representational redescriptions, real world events, resources & rewards.

Research provides the "proof" that the current concepts, stories or theories are outdated and need to be replaced, while reason presents this information via logical arguments. Along with real world events, these levers affect the "potency" of a leader's message. But its not just the potency that counts -- its also how well that message is absorbed by its audience.

Resonance describes the persuasiveness of the new story, theory or concept. Ideas which resonate “feel right” to the recipient. Finding and applying the resonance can be challenging, however, as it involves not only the content of the message, but also its timing, and how well it harmonizes with the existing perspective of the audience and the persona of the messenger. On this last point Gardner contrasts Bill Clinton's talent for getting in tune with his audience to neutralize opposition, while Newt Gingrich seemed to consistently stimulate it.

And while a leader may be working with a single message, that message best resonates when it is offered and considered in many different forms through a variety of representational redescriptions. At times these redescriptions are provided by the leader, but in other cases a leader can provide resources to their audience, along with rewards and incentives for the group to develop and "try out" the idea on their own.

These levers work positively to bring about a change, but they must overcome resistances. These resistances are characterized as the "counter-story;” existing representations which a leader hopes to convince their audience to supplant. Resistances must be met with resonating integrity, in an ethical approach. “One can – and must – go through an exercise of deep and pervasive mental surgery with respect to every entrenched view: define it, understand the reasons for its provenance, point out its weaknesses, and then develop multiple ways of undermining that view and bolstering a more constructive one. In other words, search for the resonance, and stamp out the resistance.” [p.145]

Affecting an organization requires reason, and resonance – but having the right story is only the starting point. Meaningful change takes time. “New ideas do not travel easily, and it is hard for them to take hold. Because we cannot know in advance which formats will prove effective in communicating a new message, we are well advised to use several alternative formats…We need to monitor the words and actions of a leader’s constituents to glean how ideas have been translated and internalized…until we ‘get it right’--or at least until the next change in context challenges current representations and calls for yet another take on the situation at hand.” [p.102]

In conclusion, it may seem discouragingly difficult to effect change. But rather than seeking for the perfect message, or the perfect presentation, it may be better to for a leader to engage an audience--resistances and all--early and often, and find many ways to bring those ideas forward. It may also help to give an audience the tools needed to rework that message into a variety of forms and find the ones that fit. The more active a leader is on this front, the more likely that they'll be ready to capitalize on real world events as they unfold.