Not everyone has the same motivation to secure the information they handle or access while they are working. This is something very important for information security and privacy practitioners to understand, but unfortunately too many do not think about motivation factors when creating and managing their information security, privacy and compliance programs.
I wrote about this a few years ago in my article, “Compliance Motivation: The Info Security Diet.”
Many of the concepts I discussed stem directly from Maslow’s Hierarchy of Needs.
Unfortunately most organizations do not stop and think about WHAT motivates their personnel to secure information (or do any other activity they want them to do, for that matter), but it is definitely important to consider.
I was reminded of my 2004 article today while reading a review of “Peak: How Great Companies Get Their Mojo from Maslow.”
Too many times organizations put policies out to their personnel and don’t think about how to motivate personnel to follow them.
Too many times organizations do not think about the different motivations for their personnel when putting together their training and awareness programs.
I’m reminded of so many people I’ve worked with over the years.
* In one organization there was a man who had worked in the mainframe support area for a very long time; he’s still there and has been in the exact same position for over 20 years. Not one promotion in 20 years! He’s happy!! He gets to work right at 8am and leaves right at 4pm. You could set your watch by him. He does no overtime. He does not want to learn anything new. He just wants to do his very specialized mainframe work and nothing else. Sometimes he dozes off at his desk. Why does the company keep him? Because he has deep knowledge and skill in his very specialized topic that the company could not find in anyone else. He has no ambition to do or learn anything more. What motivates him to keep information secure?
* In another organization the information security area used contract workers to do security authorization builds and changes. They typically had 6 – 8 contract workers doing this at any one time. Most of the contracts were for 6 months, and then up for renewal. Most of the contract workers were also right out of college. They often spent their lunch times and any free time they could steal to update their resumes, talk with potential full-time employers on the phone, and do other activities to find a permanent job. What motivated these contract workers to keep the company’s information secure? They knew they would’t get any promotions, raises, or vacation days. They did’t have a personal investment in the business. They could possibly get a full-time job at the end of their contract, but they knew, based upon the other previous contract workers doing the same work, that it was not likely.
* In another organization the full-time accounting staff are fairly secure in their positions. They have a clearly defined job path, that could lead to an executive position. They sometimes have to work overtime under their established salaries. They value their raises and vacations. They really like to get certificates and other tokens of appreciation. They want the busines to succeed so they will succeed. They are always looking for ways to get continuing professional education hours to help support their various certifications. What motivates these personnel to protect and appropriately safeguard the information they handle?
I’ve seen these three specific types of folks…and many more. The different groups all require a very, very different motivation for complying with the information security policies and for safeguarding information during their work. These motivators HAD to be a factor within the information security, privacy and compliance program! These motivators had to be addressed within the training and ongoing awareness communications.
Do you know what motivates the different types of personnel within your organization? Do you know what you need to communicate to them, or reward them with, or penalize them with, to get them to appropriately safeguard your information?
This aspect of social psychology is a very important consideration to include within a successful information security, privacy and compliance program. I cover the many different motivators within my article from a few years ago; they are still applicable in today’s business environments.
What is *YOUR* motivation for doing something other than your defined job responsibilities? I’d like to know! Please take the poll on the right side of this screen…you may need to scroll up or down a bit.
It will be very interesting to see what your collective opinions are about going above and beyond your documented job responsibilities. Knowing such attitudes are key to helping you understand the motivation that needs to be applied to your personnel within your information security, privacy and compliance efforts.
Tags: awareness and training, Information Security, IT compliance, Peak: How Great Companies Get Their Mojo from Maslow, policies and procedures, privacy, risk management, security training