Getting teams to improve security can be hard work, but it’s an important job that organisations must take seriously to protect an increasingly risky world. For this post, I wanted to explore some ways that an organisation or individual might start building a new security “habit” so that, in time, acting securely becomes automatic.

Define it

The first key step is defining what you want your habit to be. Translating a security process or activity into a habit means there’s probably plenty of things you might want to become a habit. Defining the habit correctly can make all the difference. And whilst this might seem like common sense, how you put together your definition can be very important starting place for ensuring the habit will stick.

Useful things to consider at this stage include making the definition simple and easy to understand, but detailed enough that it’s clear how you measure success/failure- think “Review Unexpected Changes on Windows Servers every morning” rather than “Check File Integrity Monitoring”. I generally find a little bit of wiggle room in the definition works well, as it allows (especially during the early stages of habit formation) a bit of tolerance so you don’t get put-off carrying out the task.

Cue it up

Consider if it’s possible to set up cues that encourage the habit. A scheduled reminder or email can put a requirement in front of you (or the person in which the habit should be formed), although care should be taken to make this engaging, rather than an annoyance. When planning your habit trigger for those already complaining of busy email inboxes, a daily mail may be more frustrating than encouraging, whilst for others a task item might not provide sufficient visibility if they don’t already manage things through a task (Read more...)