Working in IT, one of my biggest challenges has been to convince end-users that it is worthwhile to forego a convenience in the name of security. Regardless of whether it’s requiring the use of multi-factor authentication or forcing a computer to auto-lock after a certain amount of idle time, it often boils down to the end-user facing some sort of hinderance to their productivity. I completely understand their frustrations. I’ve managed Active Directory networks that served around 15,000 people and still managed to lock out my account. Was I annoyed? Absolutely, but I understood the need for the control. If you take the time to explain security to the end-user, they’ll be more likely to understand your decisions.
Here are some tips I’ve found to be helpful when convincing an end-user to implement a security control:
- Remind – Remind them that you’re not making this change just for fun. It’s being completed to reduce the likelihood that your organization’s systems will be compromised by an attacker.
- Example – Give an example of a high-profile breach that could have been prevented by implementing this control. It’s likely that they’ve had their personal information exposed as a result of a breach within the last few years. Even if they (somehow) haven’t personally been affected by a data breach, they have a friend or family member who has. Using an example of something that has affected them personally will go a long way to helping them understand why it is worthwhile to implement a security control that could have an adverse affect on their productivity.
- Analogy – Still having trouble rationalizing why you’re implementing a new security system? Try to use an analogy to describe how the new control will help prevent an issue. For example, if they are upset that they can’t reuse a password across multiple systems, remind them that the key to their Ford vehicle won’t work on ALL Ford vehicles.
- Describe – Take some time to describe why you’re implementing the new security control. It’s important to make the effort to explain the task in terms that the end-user will understand. Don’t use the complexity of the topic as an excuse. If you can’t explain the issue to a non-technical employee, chances are, you don’t understand it yourself.