1. Communicate Proactively and Effectively

Let your employees know about the security changes before they are implemented. Provide as much detail as possible, but don’t overwhelm them with “techy” wording - make it clear and easy for everyone to read. Identify and communicate the “5 w’s”- who, what, when, where and why. Really focus on the “why” and the reasoning behind the change. Change in general is often difficult for many. It can be especially hard for long-time employees who have been performing the same poor security practices year after year. Providing a general understanding of the reasoning behind the change can go a long way.

2. Make it about Them.

Let’s face it. Many employees couldn’t care less about the security health of their organization. What they don’t realize is that their actions could cause a major security incident, bring the company crashing down, and leave them without a paycheck - searching for a new job. When talking security, make sure they’re aware of the impact their actions have not only on the company but themselves.

3. Listen and Request Feedback

Be open and available for employees to voice their concerns. There are times when increased security can make tasks take longer and put strains on productivity. Just because a new security control is put into place, doesn’t mean it is set in stone and can’t be adjusted. Let your employees know you want to hear their concerns and you’re willing to make adjustments if possible.

4. Get Leadership Support

It’s important to make sure the leadership teams are on board and are ready to help lead the way. If you have a lack of support from the top it’s really hard to make everyone else see the value. First, target the upper level teams, then let them help you spread the new culture throughout the company.

5. Give It Time

You can’t expect the culture of your company to change overnight. It takes time to change and adapt. Especially for organizations that have been around for a while. Be patient and focus on specific incremental goals.