July 17

The conundrum of changing behaviors


The desire and need to change behaviors in business is common. Entire practices are built to ease change in business. The resulting changes are expected to produce gains in productivity and otherwise increase the value of the organization.

In security, we need people to change their behaviors. After a few decades of advancing and implementing new technology, we realize now the vital role people play in protecting systems and information.

We seek people who build better passwords, make smarter decisions, and communicate challenges more accurately and quickly to us. Done right, these changes, like other efforts, increase the value of the company.

An increase in security and a corresponding increase in the value of the company is entirely possible – with the right change.

Change is hard; the right change is harder

While easy to call for behavior change, various reports place the failure rate of change projects over 70%. In reality, the actual number of failed programs is likely higher.

To figure out why, consider the conundrum of changing behaviors.

Change is scary. We naturally fight change. When we desire others to change their behaviors, we skip a key point: to get others to change their behaviors often means that we need to change first.

The pathway to changing security behaviors is to make security make sense (and not to make people understand security).

Enter the conundrum: to make security make sense requires a change in the way we capture, distill, and effectively communicate the value of security. More, it means crafting experiences for people to gain understanding from information. We have to design programs that lead understanding to action.

My experience with transformational change

My work on influencing the necessary behavior change in organizations is informed no only by training and research, but through profound personal experience. No stranger to exploring personal change, I am in the middle of a remarkable transformation experience.

I started a yoga practice in December, and worked into a routine of practicing 3-5 days a week. A little over a month ago, without intention, I attended seven days in a row. The studio owner asked if I was attempting a 21-day challenge?

What’s a 21-day challenge, I asked?

Nothing complicated, it turns out. You simply practice yoga at the studio for 21 days in a row. While I hadn’t set out for a challenge (or even a change, really), I shifted my goal and decided to do it.

The power of daily, purposeful practice of anything is impressive. With the support and guidance of the entire studio, I found myself moving deeper into poses, trying – and succeeding – with more advanced sequences, and venturing into more advanced classes.

In three weeks time, I successfully completed the 21-day challenge. The gains I made in yoga positively impacted every area of my life. I decided to continue with purposeful, daily practice.

From challenge to transformation

That’s when an instructor asked me how many days I planned to keep going. Oddly, I had calculated I could make it 63 days before my next scheduled trip (yup, I’m enjoying a rare travel break).

She smiled. Then her response changed me further: real transformation comes in 40 days.

Now, 63 days is clearly longer than 40 days. But suddenly my change shifted from challenge to transformation. I embraced the change in my plans without hesitation.

Today is day 36. Each day I marvel at the changes in the last few weeks. Not only in my poses and practice, but in my life. The organic transition from challenge to transformation in yoga led me to change my behaviors in writing, business, and with our family goals.

This week, I embarked on a 40-day writing transformation. I had planned a 21-day challenge. Now I expect to write and publish for 40 consecutive days. Mindfully writing and sharing the research, notes, and ideas pent up in my head.

Change starts with us; it works inside out

When I write about the need to change, it comes from a place inside me. I needed to change.

I am changing.

By exploring my own experiences and changes, I am better able to provide authentic leadership and guidance to my clients and those I am honored to work with.

To make a difference in security, to change behaviors means we need to change first. It starts by adopting a new mindset. That’s the purpose of the value imperative program (keynote and other). That leads to a shift in habits and the acquisition of new skills.

We need to work together and support each other

Along the way, we need to support each other through the discomfort, the risk of embarrassment, and the process of growing into a different role. We need to set ego aside, adopt the mind of a beginner, and welcome change into our own practices.

When we change first, it is easier to understand the experience of others on the journey of change we prescribe for them. More, we are able to cultivate the skills and attitude necessary to lead successful change.

This is our journey.

This is our time to make the change so we can influence a change in others.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Very interesting post, Michael–it went in a direction I wasn’t expecting. I’m curious about how you’ll connect it up with the goal of getting people to change their behaviors related to security. Do you devise a 21-day (or 40-day) challenge related to security- and privacy-aware behavior in the workplace? And what would that look like?

    1. Hi Tom,

      How did you think it would go?

      Insightful question. In the past, I promoted something I dubbed the “two week test” –> with the idea that we can try anything for two weeks (this week and next week) because it is easily in sight.

      Based on this experience, yes, I do think we need to explore some tests, challenges, and transformations that allow us to both promote new behaviors, as well as new understanding.

      Right now I have some planning on how to incorporate this into my communication training offerings. However, I am actively considering if/how the same approach would work more broadly to change behaviors.

      Anything come to mind?

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!