Episode 32: Neil Goodrich Talks about the Importance of Soft Skills in Security Compliance

We often talk about regulations and compliance on our podcast. But the cornerstone really comes down to getting employees to buy in to the importance of security – and that includes everything from following processes to not clicking on random links. Our guest today is Neil Goodrich, a member of the executive leadership team at M. Holland Company, who talks with us about what his company is doing and the best way to get employees to follow security protocols. You just may be surprised at his approach and ideas.

Here are the highlights from this week’s episode:

How PI Work Prepared Him for Being a Business Analyst

Goodrich describes his early career as “bounding around,” and after working several jobs (including one as a private investigator), Goodrich landed a position as a business analyst. He realized that in solving problems and translating between different vocabulary sets, he’d finally found his dream job. While being a business analyst put him at the center of the technology world, Goodrich felt his role was really a creative enterprise because he had to create teams and think about technology in new ways. When faced with an ambiguous situation, which he describes as “the hallmark of leadership roles,” he went back to the lessons he’d learned as a PI. For example, when his job led him to dealing with workers compensation or insurance fraud, he knew how to get the person involved to tell him what had actually happened or was happening.

Business and creativity

“Being a business analyst required creativity, such as figuring out how to get a job or how to get the answers needed. This is infused in all creative work – soft skills, influencing, negotiating and consensus building.”

– Neil Goodrich, a member of the executive leadership team at M. Holland Company

Transparency without Increasing Risk

Goodrich shares that his team at M. Holland Company has thought about using their customer data to identify patterns that others miss because the data is fragmented, and then offering that data to both suppliers and customers. While he sees this idea as proprietary value creation, he also expresses concern about transparency and security with the data – such as allowing a customer to see that they have requested a free sample from the supplier and that the supplier has approved the request. However, moving to this model requires data from both their system and the supplier, which brings up the question of how to turn the walls invisible without being risky or insecure. He says that brings him back to one of the biggest questions of data and privacy: how to be transparent without putting security at risk.

Putting the Pill in the Peanut Butter

When it comes to getting their employees to take security seriously and follow protocols, Goodrich’s company first tried the traditional security training – an expert comes in and talks for two hours, boring everyone into playing on their phones the whole time. Sure, everyone got a piece of paper saying they attended, but their retention and adoption was zero.

For their next security training effort, Goodrich found a company offering short (10 to 12 minutes) animated training videos with a character named Dee – who did terrible things in terms of security. The employees loved it. The company eventually moved to a different company, which offered shorter videos (4 to 5 minutes) with multiple choice questions at the end. On their first (baseline) test, no one passed. Now, they have a 100% pass rate. Goodrich compares it to the fact that nobody has ever had to go to training to use their iPad. Why? Goodrich says it’s because the training is fun, and you don’t even realize you are learning.

Fun security training

“Does your 13-year-old want to sit in a 2-hour lecture on security? No. Neither does a 43-year-old. That’s ridiculous. Everyone wants to have fun, so you make security fun. People have to swallow the pill – so put it in peanut butter, and they don’t realize it. We ask “How do I make it easy for someone to do it and make it so you aren’t even thinking about it?”

– Neil Goodrich, a member of the executive leadership team at M. Holland Company

Keeping Your Badge in Your Pocket

Goodrich has learned that if you have employees behaving in a way that you don’t want them to continue, the best approach is to take the time to really figure out why they’re doing it. He says that to get buy-in from employees, you have to not act like you have a “badge.” Anytime you have to flash your badge and get compliance through hierarchy, the second you walk away – the lesson takes a walk with you. Often, the employees are doing whatever it is they shouldn’t be doing not because they’re being malicious, but they’re simply trying to do their job and don’t realize they have another option. Goodrich says that when he gets closer to the action and really helps solve the employees’ issues in a more secure way, then he can make meaningful change – instead of the employees going back to their previous unsecure method when he walks away.

Long-term change vs immediate compliance

“I think so much of change is in the soft skills – in all shapes and forms – and that’s often overlooked in the technology space or the security space. It’s hand-wavy and mush. But how do I put those on the Gantt chart? I think soft skills are the lost arts that can be forced multipliers when you move around the organization.”

– Neil Goodrich, a member of the executive leadership team at M. Holland Company

Ready to listen?

These are only the highlights of our discussion. This episode has many more interesting ideas and perspectives to help you create a culture of security at your company. And the fun part of this podcast is especially amusing – we talk about elephants, sandwiches, and whistling. The only way to find out is to listen to the whole episode.

Listen now