Conversation, collaboration and collective policy making will be discussed in our webinar – The Human Factor: Embedding Security Behaviours for Cyber-Aware Culture – on Tuesday 29th November. If this blog whets your appetite, sign up for it on our website.
We’re all part of our organisation’s culture and we shape it through our conversations and behaviours. Culture change, by its very nature, therefore, is innately collaborative and has to be inclusive. Rules imposed from above don’t work because they exclude people from the process of culture change. Switching from a culture of instruction to one of conversation generates the movement necessary to include everyone as the collaborators in the development of the ideal security culture we are all aiming for.
The Problem with Rules and Instructions
Giving instructions is a top-down, one-way process. It gives the person who gives the instruction the impression that they can control the world through a few simple rules that everybody will abide by. Rules serve the rule maker, not average the employee.
Those receiving the instruction are passive and faced only with a binary choice: either they obey or they don’t, but they have invested nothing in the process of creating the rule, and they may not see the reason or the purpose for a rule that, rather than helping them in their job, they see as a hindrance.
Instruction creates a dichotomy between ‘us’ and ‘them’ – a one-way street in which rules are handed down by a small group for others to follow. Conversation is two-way: ‘us and them’ becomes just ‘us’ working together on this.
A Collaborative Approach
Conversation means we can’t make assumptions, arrive at simplistic conclusions and impose unworkable rules. Conversation encourages truth, embraces complexity and brings about collaborative action. When there is a conversation and we collaborate to solve a problem, everyone becomes active and we work with the world as it really is to bring about the change everyone wants to see.
Switching to a more collaborative approach to policy-making means letting go of the impression of control. It means recognising the fact that responsibility for the security of the organisation has been devolved and is the responsibility of everyone now. It means accepting that not everyone will do things in a standardised way, but that everyone is taking their own workable steps to solving problems.
Solutions arrived at collaboratively are more likely to stick because everyone has had a hand in creating them, understands why new behaviours are necessary and has agreed that they are workable within their own area of the business.
Culture is a conversation – and conversations change culture.