There are two main strategies I use when I’m in the role of CISO:
- Make sure people know what’s expected of them. This includes written procedures, training, and periodic reminders through multiple, standard communications channels. This is the main strategy towards the goal of minimizing human error.
- Modify the organization’s employee disciplinary system, so the expectations in #1 are in the scope. The objective here should be obvious: You need to hold people accountable when they fail to meet expectations. This secondary strategy is so crucial to the success of the overall goal that I would not start strategy #1 without knowing I could make these changes.
Here is a key assumption of both strategies: I implement them through the direct supervisors of the people who are at risk of making errors. Without the support of the supervisors, your overall chance of success is quite low.
Why? Because people pay more attention to their supervisors than anyone else at work. If supervisors don’t support your program, then people won’t take you as seriously as you need.