What is the fastest way to shut down a privacy programme? It’s not a breach, breaches can make programmes stronger. It’s not budget, there’s a lot you can do with very little budget. Company culture, however, can reduce a privacy programme to nothing before it even gets out the starting gates. In this article, I’m going to touch on my top 3 culture based destroyers of privacy (or cybersecurity) programmes.

Executive Exclusion

What it is:

For any programme to take hold, it needs to apply equally and with a uniform approach across the company. If a team or division is treated differently, it breeds resentment or apathy towards the exercise. At the general team level, this is fairly easy to address, even if it comes to exercising some temporary autocratic leadership. It becomes a significant problem though when the team in question is the Executive Committee or senior leadership. When the executive team excludes itself or holds itself above the policies of the company, you’ve got an issue.

Why it’s a problem:

You can be as forward thinking as you like, with your vision and mission statements plastered all over your company walls and email stationery, but if your executive team is able to bypass the policies at will or bend the rules at their whim, no-one else is going to take the programme seriously. It always astounds me how executives will assume that their bypass of the rules will be seen as a necessary management function, where in fact it is mostly just seen as a dangerous disregard for company policy and procedure. When the executive team stops playing by the rules, there is no incentive for anyone else to do so either – whether you see it or not.

How to address it:

The executive team needs to be on board, and they need to be held accountable to privacy and cyber security like any other staff member. More importantly, they need to hold each other accountable to it. When there is no accountability for disregarding the rules, it just keeps happening – and no staff member is going to hold an exec accountable, no matter how open your “open door policy” is. You cannot have just the CISO or information officer accountable for security, the whole team needs to be committed to it.

Normalisation of Deviance

What it is:

This is where a breach of policy becomes business-as-usual. It’s all in the name: when deviation from the policy becomes a normal operation of the business. On day one, it’s a breach of policy. On day two, it’s a necessarily rule bend “just this once”. On day three, it’s a necessary exception to the rules. By day four, it’s how you perform this specific task going forward.

Why it’s a problem:

Think of it this way; you put in a policy that states “no one may use gmail for company communications”. Steve in sales needs to urgently send financial information to a client, but the Advanced Threat Protection (ATP) is blocking the mail from leaving. Instead of logging a call with IT to clear the email, Steve sends the documentation from his gmail account. This is a clear breach of policy, but there’s no harm because it’s “just this one time” and Steve will log it with IT as soon as he’s done.

Three weeks later, Steve still hasn’t logged it with IT, and he needs to send the same information out for a new tender. He knows gmail worked before, so he just goes ahead and does it, bypassing the protections of the ATP. Going forward, Steve may train new employees that in order to send out certain things, you “just need to go through gmail”. This is an extreme example, but I’m sure you are getting my drift as to why this is an issue.

How to address it:

Have “strong opinions loosely held”. If you’re going to make a policy, be sure to enforce it. But, if it’s impractical to do business because of a policy, you need to open the door to discuss it. Some policies may be non-negotiable and then it is important to be clear that you cannot breach them. Others may be worth reviewing if they are affecting business. You need to be sure though that you are monitoring the policies that are in place, and that they’re not just written on paper and forgotten after staff sign their acknowledgement of them when they start at the company.

“It’s not my box”

What it is:

Many years ago, I worked for a company that had a mantra that came down from the executive. This mantra was simply: there’s no such thing as “it’s not my box”. Say there was a company moving premises, and there were boxes everywhere. The mantra meant that in moving, no employee should shirk the responsibility of carrying a box to the moving van because “it’s not my box”. Everyone needs to work together.

Why it’s a problem:

When you have a company culture that operates on ‘everyone for themselves’, you absolutely will not get a privacy programme off the ground. I have seen this in a number of companies, some of whom I have parted ways with. When staff are solely driven by the exact tasks that are listed in their KPI’s, you’ll likely never get a programme to take hold in the company.

How to address it:

Out of the three issues listed, this has to be the most difficult to turn around. This is normally a deeply ingrained cultural norm that will take months or years to correct. Often this can extend from unrealistic performance expectations, draconian policies, or simply bad micro-managers. When staff solely aim to hit their KPIs and don’t do anything above and beyond, you’re never going to remove the blinkers to look at cyber security or privacy issues. Get that incident response plan ready, you’re going to need it! Alternatively, start getting that bus to turn around bit by bit, starting at the top.

Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.


Share This

Share this post with your friends!