Featured.

“As part of the contract approval process, agencies must submit an ECR (RC215) or PO (RC744) with the appropriate encumbrance of funds. Immediately following the approval of the contract, the encumbrance will be recorded in the CDS against the appropriation from which contract commitments will be paid. Once recorded, State departments and agencies must not reduce the contract encumbrance, except when the estimated liability for the fiscal year is reduced. In some cases, agencies are permitted to data-enter contract encumbrances in the CDS and these must be recorded only in sequence of contract submissions. In the event that a contract is disapproved, the related contract encumbrance will be cancelled by PRB.”
Actual paragraph from a training manual. Acronyms have been changed to protect the misguided.

Hi, are you still reading? Congratulations. Now imagine your company is launching a new process that you’ll have to start using next Monday. You take this training (above) and you’ll have to follow these steps every day. Your trainer defines ECR, RC215, RC744, CDS, PRB, contract encumbrance and estimated liability, but these are all new terms to you. How will you feel walking into work on Monday? Not great, I’m guessing.

Short words are best and the old words when short are best of all.
Winston Churchill

For years, I created training and communications for users of new systems and work processes. I was always struck by how much new language we expected employees to absorb…on top of new skills, tasks, tools, and concepts. I realized we, the change management and learning team, couldn’t solve this problem entirely, but we could make things better.

There are three nasties that desperately want to creep into your training and communications, and their names are Acronym, Made-up and Flowery.

“RIP KGB CIA JUD FDA LSD FBI DMT
ROM PCP UDA FCC KKK MAD CNN BBC
EMI THC ICI TNT DNR MDA SAS
JFK RAM CND IRS LED HBO GHB YSL”
The first verse of “R.I.P. 20 C.”, by Love and Rockets

Acronyms are a reality in most workplaces, but you don’t have to encourage them. If an acronym is hard-coded into a new system or process, you might have to teach it. And if the acronym is already part of day-to-day language of the employee, then go ahead and use it. But try not to inflict any new ones on them; new acronyms have to be decoded, and that takes mental work.

“Oh…’meltdown.’ It’s one of those annoying buzzwords. We prefer to call it an unrequested fission surplus.”
Mr. Burns, Nuclear Power Plant Owner, “The Simpsons“

Made-Up words are terms or euphemisms coined by leadership and the project team. If you use them, employees have to learn what you mean to gain entry to your training and understand their new way of working.

“Old words rule because people know them intimately. Familiar words spring to mind unbidden. Call a spade a spade, not a digging implement. Certainly not an excavation solution.”
Jacob Nielsen and Hoa Loranger, “Prioritizing Web Usability”

Flowery sounds pretty but like many pretty ones, she’s a bitch. Every extra syllable or complex word clings to your communication like a barnacle, weighing down and hiding your message.

“But,” you correctly point out, “the team built the thing (system, tool, initiative, job) using these new words. So now we have to use them!” Quite right. But think about it this way: you’re the expert on the people side of the change. Make a case for stripping out the nonsense, where you can. And, next time, stake your claim early on. Influence the project team to use plain English (or your spoken language).

Most tricky words don’t benefit employees. IT and integrators are comfortable with terms they made up, or words that come with the system. Management loves the spin their catchy terms and euphemisms put on a tough transition. Help them see their words are not helping achieve their objective: smooth adoption and achievement of the project’s business benefits. The easier it is for people to understand, the more readily they do something new. Use words that make sense to the people who will drive your change.

First, the good news: retail sales picked up in December driven by improved demand at car dealers, Internet retailers, furniture stores and building materials outlets. But sales continued to decline at department stores, restaurants, and electronics/appliances merchants.

Retail is undergoing the biggest transformation in decades. Most department and specialty store operators announced terrible holiday sales and negative comps. As reported by CNBC, RetailNext found that, despite a spike at the end of the holiday season, sales and traffic fell in double digits for many brick and mortar retailers. But this isn’t a seasonal problem.

America is completely over-stored. According to Howard Davidowitz of Davidowitz and Associates we have three times the retail space per person of the United Kingdom, Japan or Canada. CoStar estimates that over one billion square feet of retail will be closed or converted in the coming years. Over $50 Billion in real estate debt on retail stores is coming due in the next eighteen months; this is in the context of a rising interest rate environment and low economic growth (no more than 3% of GDP).

Retail experts expect tens of thousands of stores to close in the coming years. These are some of the store closings announced just this month:

• Sears will close another 104 stores, laying off 4,000 employees. They have closed more than half their stores since 2011. Roughly 80% of remaining 714 leased Kmart Stores and half of the 386 remaining Sears stores will come for lease renewal in the next five years and will likely be shuttered.
• Macy’s is closing 68 stores, laying off 6,800.
• Limited (owned by Sun Capital Partners) is closing all of its 250 stores, and will probably liquidate merchandise online.
• Abercrombie & Fitch will likely close up to 50% of its remaining 745 leased stores over the next 18 months, as leases expire.
• American Eagle is expected to close 185 stores over the coming year, as leases expire.

Thousands of employees will lose their jobs in the ongoing shift from brick and mortar to online retail. Even Walmart, once expansionary, is now closing stores in favor of investments in online retailing. Walmart spent $3.3 Billion to buy Jet.com, a money-losing online retailer that is barely one year old. And why not – online retail represents only 10% of the retail market and is expected to climb to over 50% in the next fifteen years. Amazon just announced they will hire another 100,000 employees in the US over the next 18 months. Retail sales are systematically shifting online and the biggest beneficiary of that trend is Amazon and any retailer that gets ahead of the trend.

Retail companies need a proven, disciplined approach that delivers results.

So what does that mean? First, make hard decisions quickly. Uncertainty is the retail leader’s greatest enemy. It is more important than ever for retail companies to have a plan to steer through this tsunami of a marketplace.

To do this, leaders must be certain. Align the entire management team around a common vision and strategy, and do it with speed. Playing catch-up is not good enough, as many retailers have discovered the hard way.

Once you have a well-conceived plan and your leaders are aligned, create momentum. How do you create momentum across your entire company? There are two essentials.

• First, focus on your early adopters. Get them engaged and working toward the new way of doing business. Yes, you will need the entire company behind your changes, but don’t try to win every heart and mind at first. Ironically, you’ll move faster if you identify and deploy influential people, ate every level, who will adopt your change and get moving.
• Next, make the change feel familiar, controlled and successful to employees. They have to feel safe and confident of success, or you’ll get nowhere. Moreover, research shows we must create momentum within 90 days of launching a change – again, speed is of the essence.

So management needs more than a plan; they must engineer momentum by using the right people and launching the right activities. In a vacuum of direction, employees are uncertain and afraid; lack of certainty will make any initiative fizzle.

Strategize fast, align and get on-message, and create momentum. The whole marketplace is changing forever, but the swift and strong will survive.

Christian is Vice President, Consulting for Emerson Human Capital. Christian has led enterprise-wide transformational retail consulting projects for Gallup and Accenture and worked in global development for Walmart and Metro AG.

If you think technology is the answer to your organization’s cybersecurity threats, consider the following:

• Sending phishing emails to just 10 employees gets hackers inside corporate gates 90 percent of the time, according to Verizon Communications’ 2015 Data Breach Investigations Report. For the last two years, more than 2/3 of cyber-espionage incidents have featured phishing wherein attackers establish themselves on user devices and infiltrate the network.
• In the first half of 2015, malicious attachments became the go-to method for hackers to gain access, and a new stream of phishing attacks targeting businesses also began, according to a threat report from Proofpoint.
• The percentage of cyber-attacks targeted toward employees jumped from four percent in 2007 to 20 percent in 2010, according to a KPMG study. More recent research estimates that 40 percent of cyber-breaches could have been avoided had employees been aware of the risks and taken appropriate actions.

“The best technology on the market won’t help you if the bad guys get to your people,” says Mark Stone, CIO of the Texas A&M University System. Danny Miller, Texas A&M University System’s CISO, echoes that. “Even if you have the latest and best technology installed, one misstep by a user can throw it all out of the window.”

As more attacks are directed toward employees, many organizations are unprepared to react. They are also surprised by how difficult it is to change behaviors of the people on the front lines.

Here are five ways to transform your people from cybersecurity liabilities to cybersafety assets.

1. Realize it’s a change problem. 

Behavioral change is tough, and we cannot achieve a marked and long-lasting change with traditional communication, standard training, or mild promises of a better future. One reason is that these blanket approaches promote a diffusion of responsibility – people don’t think the problem lies with them. Think of sexual harassment and inclusiveness training; people attend courses because they must, but they think the training is targeted at someone else.

One chief security information officer confided that his biggest issue is that each department believes its own people are fine, and the risk truly sits with “the knuckleheads in other departments.” His question: how do we get people to understand that cyber risk is not a reflection on the integrity of the team; it is an individual mindset of vigilance to identify constant, undefined risk?

We can use behavioral science to help us. For example, research shows that we stay in a system until it no longer works for us personally. Economists and behavioral scientists Daniel Kahneman and Amos Tversky found that we feel the pain of loss more acutely than the pleasure of gain. So we unconsciously take greater risks and make bigger changes when confronted with painful situations. It’s why we stay in expired relationships and mind-numbing jobs. Until the pain is too great, we do nothing.

So how do we get people to feel enough “pain” to change? How do we get our colleagues, employees, and affiliates to understand that every one of us is a weak link and our current behavior is dangerous?

“Scaring people is a tactic that I certainly use to get their attention,” says Chris Walter, CIO of Central Garden & Pet. “Getting permission from employees who have been targeted and then using those real examples… That really resonates.” Some companies use internal phishing exercises. Through real-life stories and simulations, the employee understands viscerally that it can happen to him or her.

Jeff Dalton, Information Security Officer for the Bank of Marin recommends making it personal. “You wouldn’t want your personal information out on the web, would you?

Be prudent when you surf the web or click on something.

“Relate the experience to that individual level.” Mr. Walter says he helps leadership feel the urgency in a number of ways. “I tell the executives that the network we have is just as much a corporate asset as your plant. Imagine if your plant were hit by a tornado.”

2. Link it to culture. 

Culture is made up of the unspoken rules by which decisions get made. MIT professor Dr. Edgar Schein says that, when a group of people engage in a behavior and are successful, they repeat it. That constant repetition becomes culture. We might also think of culture as a collection of organizational habits. It’s a powerful force, perpetuated by the brand of the company. People choose to work for Google or Coke because something about that brand resonates for them, personally. And it’s tenacious; changing a culture is like changing the course of a river – it requires dynamite. It’s easier not to swim upstream, but to harness the power of that culture to change behaviors. We must link new behaviors we want to what the culture already supports.

Behruz Nassre, VP Technical Operations, Security & Compliance for TubeMogul, an advertising software company, directly links their security efforts to their culture. “There are two to three things that are important here. First, we train people that if they say they are going to do something, they do it. Second, we do things fast and do not reprimand failure. We send that message with our internal hacking attempts. If you fail, it’s OK so long as we learn from it and move on.” He also links their security efforts to the coding sprints their developers already do. “We encourage our programmers to look at security output as a reflection of quality rather than risk. In the same way there’s a bug and a fix; security bugs through static code or vulnerability are a quality feature to address.”

3. Make it familiar, controlled, and successful.

Familiar: We evaluate all new situations by comparing them to what we already know or experienced. If something is familiar and we judge it as safe, we are more likely to do it. As we try to change risky cyber behavior, consider what our constituents might compare this effort to, and create links that make sense to them. For example, in a health environment, caregivers vigilantly wash hands. Asking people to pause before clicking is the electronic equivalent.

When Patrick Wilson, Chief Information Security Officer and Associate Director of Clinical Applications at Contra Costa Health California implemented a mandated password format change, he said, “One metaphor I used was comparing the complexity of an eight-character password to walking across the Golden Gate Bridge. Changing it to 12 characters is like walking from the Golden Gate to the Statue of Liberty—it’s that much more difficult to breach.”

Controlled: In a chaotic world, we seek structure and predictability. We can handle devastating news, even a cancer diagnosis, if we know what to expect and have specific actions to manage our situation. We must design cyber programs with this in mind. In many ways, it’s like planning a typical IT deployment but for the employee’s experience, so you and they know what to expect and feel in control.

In the case of cyber risk, this starts with clearly defining the behaviors we need from our employees—what we what them to do (behavior), when they should do it (trigger) and the confirmation that it worked (reinforcement). And we must schedule these activities so they layer systematically, establishing new habits.

A program conditioning people to recognize undefined, potential hazard might look like this:

• Month 1: Recognize cyber risk generated by others.
• Month 2: Recognize the cyber risks I create.
• Month 3: Recognize risks inherent in my environment.

Each week would focus on one simple behavior, with the associated trigger and acknowledgement. Like so:

• Month 1: Recognize cyber risk generated by others.
• Week 1: Pause before clicking attachments.
• Week 2: Pause before opening external email.
• Week 3: Call IT if suspicious.
• Week 4: Tell the requestor you’ll call them back.

Successful: Finally, people adopt new behaviors if they believe they will be successful. In the research, it’s described as “outcome primacy” —our first experience has a “substantial and lasting effect on subsequent behavior.” (Journal of Experimental Psychology: General 142 (2): 476–488. doi:10.1037/a002955)0.. For example, if someone starts a diet and loses weight in the first week, he or she will continue the diet. We must engineer success for users, as they practice and start to use the right cyber behaviors – make sure they understand when they have done it right, then repeat that experience over and over so that the behavior is naturally reinforced.

As a leaders, we must engineer success for users.

4. Don’t communicate; focus attention. 

Many organizations create extensive communication programs, but each wave communication is competing for individuals’ attention. We filter out “noise,” and pay attention to what is clear and relevant to us. Our challenge then is to focus attention so that our information about safe cyber behavior gets through our people’s selective filters. One of the most effective ways is to get the organization “on-message” about the program, much like a political campaign. If team members can describe the effort passionately, without a PowerPoint, using their own examples, we win.

Think of the message as a square anchored by four words: one for the current situation, one for the solution, one for the method of getting there, and one for the result. For example, these words might be:

• Current: Vulnerable – Our current way of working is broken and we are at risk.
• Solution: Discerning — Employees should easily decide what’s nefarious.
• Method: Questioning — Employees should think about whether each action is risky.
• Results: Nimble — Our organization responds quickly and appropriately to relentless threats.

It’s imperative that key people agree on those words; the debate will help internalize them. The square shape helps too – visualization makes it memorable. Examples supporting the words must come from the team working on the message. And, as long as words remain constant, the team will be able to describe what they’re doing consistently in every conversation from the coffee shop to the boardroom.

Mr. Dalton underscores this: “Having them all in the same room and talking about it the same way – consistency of messaging. They have to lead by example so when I have senior staff and board room discussions, the message is always the same; they have the same frame of reference.”

5. Measure and benchmark behaviors.

It always comes down to accountability, both at the organizational and individual levels. Mr. Nassre uses a variety of tactics. “We put out a monthly security report to our execs that includes a product and IT perspective, and a physical security perspective. These are the number of machines hit by viruses, how they were hacked, these were the campaigns we ran, these are total number of people who clicked that shouldn’t have, these are the number of bad passwords we found. We’re looking at trends.

Mr. Wilson’s approach is similar. “We discuss the number of infections, number of inquiries regarding investigations, the number of computers needing to be rebuilt due to malware.” He added, “We do a lot of our own assessments internally. There’s a physical audit where we go to a new site each month and act as normal patients and talk with the local onsite management to discuss what they did extremely well and what they didn’t. Many organizations forget about the physical site.”

There are traditional benchmark sources like (ISC)2, SANS Institute and Brian Krebs. But, as Mr. Wilson observed, many organizations are overlooked by the larger benchmarking firms, and take inspiration from peer groups. “We meet with other facilities of the same size and revenue range.”

The importance of the right cybersecurity behaviors cannot be overstated. And pulling the right behavioral levers will make all the difference to your company’s security.

Published March 2016 by Security Info Watch

Mr. Colbert called out what makes a great leader: Mastery. Modeling. Intention. Focus. Respect for others. Character. If there’s a better definition of what it means to lead well, please let me know. Here’s Colbert’s entire speech. Thank you Mary Stewart (no relation) for transcribing it (I fear blood was dripping from her ears, like Jon’s Fox News staff). (Are you kidding? You paid me to listen Stephen Colbert. Could that be my whole job now? – MS)

==================

SC: “Jon, like Frodo, you are leaving us on a voyage for the undying lands. For 16 years, you and your basic cable fellowship of funny clutched that ring of power and trudged up the steep slopes of Mount Doom. The ring of power in this metaphor is a metaphor for power. The power to be a player in the world of media and Washington politics.”

JS: “Yeah but I don’t really want that, so…”

SC: “Jon, you know who else didn’t want that?”

JS: “Frodo.”

SC: “Your words, Jon. Frodo thought surely Saruman would know they meant to destroy the ring, but I don’t have to tell you what Gandalf said about that.”

JS: “You’re just going to tell me though, aren’t you?”

SC: “He said, and I’m paraphrasing here, though I could do it verbatim if I wanted… He said, ‘My fellow Americans, it has not entered into Sauron’s darkest dreams that we would seek to destroy rather than wield this hideous power.’ And in Gandalf’s metaphor here, power also stood for power.”

JS: “I just want to say that I am so touched that everybody could be here tonight…”

SC: “Me too, Jon. Is there a party or anything? Because I brought a lot of people from CBS and I told them I know you.”

JS: “Yes, there is a party and you can go to it. Stephen Colbert, everybody.”

SC: “Actually, Jon, we’re not quite done. Just a moment, Jon. No…you can’t stop anyone because they don’t work for you anymore. Huge mistake, Jon. It’ll be quick if you just hold still.

Jon, I’ve been asked and have the privilege to say something to you that is not on the prompter right now. Here’s the thing, Jon, you said to me and to many other people here years ago never to thank you because we owe you nothing. It is one of the few times I’ve known you to be dead wrong.

We owe you … and not just what you did for our career by employing us to come on this tremendous show that you made … we owe you because we learned from you. We learned from you by example how to do a show with intention, how to work with clarity, how to treat people with respect. You are infuriatingly good at your job. And all of us who were lucky enough to work with you for 16 years are better at our jobs because we got to watch you do yours. And we are better people for having known you.

You are a great artist and a good man and personally, I do not know how this son of a poor Appalachian turd miner … I do not know what I would do if you had not brought me on this show. I’d be back in those hills mining turds with Pappy. Jon, you know by now I’d have Dung Lung. So Jon, I know you are not asking for this, but on behalf of all those people whose lives you have changed over the last 16 years, thank you. And now, I believe your line is … and correct me if I’m wrong … ‘We’ll be right back.’”