July 17, 2013


The desire and need to change behaviors in business is common. Entire practices are built to ease change in business. The resulting changes are expected to produce gains in productivity and otherwise increase the value of the organization.

In security, we need people to change their behaviors. After a few decades of advancing and implementing new technology, we realize now the vital role people play in protecting systems and information.

We seek people who build better passwords, make smarter decisions, and communicate challenges more accurately and quickly to us. Done right, these changes, like other efforts, increase the value of the company.

An increase in security and a corresponding increase in the value of the company is entirely possible – with the right change.

Change is hard; the right change is harder

While easy to call for behavior change, various reports place the failure rate of change projects over 70%. In reality, the actual number of failed programs is likely higher.

To figure out why, consider the conundrum of changing behaviors.

Change is scary. We naturally fight change. When we desire others to change their behaviors, we skip a key point: to get others to change their behaviors often means that we need to change first.

The pathway to changing security behaviors is to make security make sense (and not to make people understand security).

Enter the conundrum: to make security make sense requires a change in the way we capture, distill, and effectively communicate the value of security. More, it means crafting experiences for people to gain understanding from information. We have to design programs that lead understanding to action.

My experience with transformational change

My work on influencing the necessary behavior change in organizations is informed no only by training and research, but through profound personal experience. No stranger to exploring personal change, I am in the middle of a remarkable transformation experience.

I started a yoga practice in December, and worked into a routine of practicing 3-5 days a week. A little over a month ago, without intention, I attended seven days in a row. The studio owner asked if I was attempting a 21-day challenge?

What’s a 21-day challenge, I asked?

Nothing complicated, it turns out. You simply practice yoga at the studio for 21 days in a row. While I hadn’t set out for a challenge (or even a change, really), I shifted my goal and decided to do it.

The power of daily, purposeful practice of anything is impressive. With the support and guidance of the entire studio, I found myself moving deeper into poses, trying – and succeeding – with more advanced sequences, and venturing into more advanced classes.

In three weeks time, I successfully completed the 21-day challenge. The gains I made in yoga positively impacted every area of my life. I decided to continue with purposeful, daily practice.

From challenge to transformation

That’s when an instructor asked me how many days I planned to keep going. Oddly, I had calculated I could make it 63 days before my next scheduled trip (yup, I’m enjoying a rare travel break).

She smiled. Then her response changed me further: real transformation comes in 40 days.

Now, 63 days is clearly longer than 40 days. But suddenly my change shifted from challenge to transformation. I embraced the change in my plans without hesitation.

Today is day 36. Each day I marvel at the changes in the last few weeks. Not only in my poses and practice, but in my life. The organic transition from challenge to transformation in yoga led me to change my behaviors in writing, business, and with our family goals.

This week, I embarked on a 40-day writing transformation. I had planned a 21-day challenge. Now I expect to write and publish for 40 consecutive days. Mindfully writing and sharing the research, notes, and ideas pent up in my head.

Change starts with us; it works inside out

When I write about the need to change, it comes from a place inside me. I needed to change.

I am changing.

By exploring my own experiences and changes, I am better able to provide authentic leadership and guidance to my clients and those I am honored to work with.

To make a difference in security, to change behaviors means we need to change first. It starts by adopting a new mindset. That’s the purpose of the value imperative program (keynote and other). That leads to a shift in habits and the acquisition of new skills.

We need to work together and support each other

Along the way, we need to support each other through the discomfort, the risk of embarrassment, and the process of growing into a different role. We need to set ego aside, adopt the mind of a beginner, and welcome change into our own practices.

When we change first, it is easier to understand the experience of others on the journey of change we prescribe for them. More, we are able to cultivate the skills and attitude necessary to lead successful change.

This is our journey.

This is our time to make the change so we can influence a change in others.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.