Cybersecurity is important for every company. It is a field that spans both people and technologies. Most companies that are trying to build an internal “security culture” or make “compliance” part of their everyday operations feel some level of conflict, and sometimes to the point where people are refusing to follow cybersecurity policies, or even leaving their jobs because they feel security is too cumbersome, too invasive, too much of a hassle. Obviously, securing your digital values is important, but your business will be equally at risk if the company’s most important assets – its employees – stop believing that this company is the right place for them to be.
A good change mangement process will not make introducing better security easy – but it will make it realistic, doable, achievable. Without good change management, your security program will most likely not succeed.
Pillars of cybersecurity practice and how they all demand change management
Improvements in cybersecurity practice requires organizational change. It changes the way we do things, it changes the technologies we work with. Failing to acknowledge that this requires management will ensure your improvements get a much more difficult journey that they need. Let us consider 5 typical pillars of cybersecurity practice and how they affect people.
- Cybersecurity policies
- Security awareness training
- Technical security controls
- Detection and incident response
- Continuous improvement
Cybersecurity policies are the rules to live by. Hopefully the rules have some connection to objectives and work with what the business is trying to achieve. Invariably, introducing new rules is going to rub someone against their feathers. Faililng to manage this as the change it actually is, is going to make it much more likely that people will ignore the new rule.
Security awareness training is obviously important as we know that more than 80% of successful cyber attacks have some component involving social engineering. The awareness needed for your people to work safely in a digital world spans much wider than most companies realize – from how to work with approved tools and technologies, to how leadership influences security behaviors, to how stress or lifestyle challenges can negatively impact our ability to react rationally to online risk factors. Good awareness training is relevant for the business, and for each role in that business. Using the same generic content and forcing everyone to attend the same training is most likely counter productive and can contribute to further alienation towards your cybersecurity program.
Technical security controls should not cause friction in day-to-day tasks, but sometimes they do. And sometimes this cannot be avoided. In these cases, managing the change properly is critical to avoiding “shadow IT” – people using other non-approved solutions to get the job done. Another aspect is privacy: if you have technologies that are intended to detect cyber attacks, it is likely that the same technologies can be used for surveillance of employees. Putting controls in place to avoid abuse, and making this transparent should be a conscious effort to both protect your digital assets as well as the privacy of both employees and customers.
Detection and incident response is an important part of any mature cybersecurity strategy. Your company will be hacked, and when this happens you need to detect it, and respond to the threat to minimize damage. This may require actions that interfere with people’s jobs, such as seizing a computer for forensics. It may also require detection abilities that challenge privacy rights – as discussed above. Transparency and communication is key to avoiding unnecessary conflicts.
Finally: continuous improvement should underpin any organization’s security program. The threat landscape evolves, and so should your defensive practices. Learning from incidents is a commonly acknowledged need in cybersecurity management, but you should also focus on learning from what works and what doesn’t in change management.
How change driven cynicism can kill your cybersecurity program
The ideal often brought forward in change management is the “bottom-up” approach – where the need for change is recognized by employees, and they nudge the organization towards the required change in an organic and non-forced manner. This avoids the core problem with top-down change. The only problem is that conscious change is often recognized at the top and then forced on the organization, often with leadership believing that the need for change and how it fits with the strategy of the firm is self-evident to the employees. After all, an article about this was posted on the Intranet a week ago, then everyone should be on board, right? Of course, it doesn’t work that way.
Many top-driven change processes lead to conflict, and often they fail completely to make the transformation that is desired. The reason is often disagreement on the need for change, a lack of involvement of employees and other stakeholders, and failure of the management team to understand the perspective of other stakeholders on what the change means for them. The results from such conflict can be very damaging to an organization, including
- Distrust in management, up to rumors about dishonesty and ill intent of the change driver
- Sabotage actions tyring to stop the change
- Lack of collaboration, general distrust between groups that adapt to the change and those that do not
Managing change will never be a frictionless undertaking, but allowing enough time for involvement, and providing real forums for involvement where stakeholders can actually influence the way the change is introduced, can help a great deal.
Blueprint for introducing new cybersecurity building blocks
Let’s say your organization has conducted a risk assessment and ended up with a list of new practices and technologies to lower the cybersecurity risk. One such practice could be a new corporate antivirus system that reports cyber threats to a management server controlled by the company. The antivirus software regularly collects all software and processes running on each workstation and laptop. It also reports all blocked web links from its threat intelligence feeds, as well as any malware detections. Another change that goes together with the new antivirus solution is that employees will no longer be able to install software on their workstations themselves. The CISO sees this as necessary and a big improvement over the past practice, that has led to undetected malware infections and people syncing their work documents to their personal Dropbox accounts. The CISO at this company has experience with introducing similar controls from another company, and that was a disaster. They simply removed all administrator access without telling employees, and installed an antivirus solution of the same kind. The CISO and the rest of the management team had been surprised at the outrage this caused:
- The union threatened to sue the company over illegal employee surveillance. They claimed the company was spying on them because it collected the process list and software inventory, and that this constituted “broad and unjustified surveillance”
- Several employees claimed they would lose many hours each week because they needed to use Dropbox. This, in spite of the company investing in a corporate cloud storage solution that they could acces from any web browser. Employees refused to use this solution, claiming it didn’t work well enough for their specific storage needs.
- A group of employees stopped using their work machines for work and brought their personal computers in, inspite of BYOD (bring your own device) not being allowed in the company due to regulatory requirements from the authorities for the type of financial services business this company was doing. This led to the company being fined by the authorities. Eventually the CISO was fired for “endangering the business through draconian security rules”. This in spite of the fact that the financial services regulations also required them to introduce exactly the type of security controls we are talking about here.
Not wanting to repeat the very unpleasant experience from his last company, the CISO this time reached out to HR to ask for advice on how to manage this change. The HR director was an expert in change management, and adviced the CISO to plan a 6-month transition process to avoid counterproductive reactions and excessive friction. Let’s take a look at the steps recommended by the HR director.
Articulate the need for change
Sell the change. Make sure to communciate on multiple levels, selling the change on the pains it will remove, and the gains it will introduce. Make it evident that not changing will make the pain worse, or stop you from seeing gains. In terms of cybersecurity it is mostly about the pains: not introducing the change will lead us to be hacked more frequently, we will lose more money and your job safety will be at risk. This is what we want to avoid. Make sure the change is communicated in a context that makes sense to employees – perhaps the threat to shareholder value isn’t the relevant context for the person maintaining your construction company’s cranes.
When articulating the need, focus more on the needed outcomes than the path to get to that outcome. You need involvement to find the best path, and you don’t have that input yet.
Recruit change agents early
A change agent is someone who helps drive the change, someone who sees the need and the benefits the change will introduce. You need change agents in all levels of your company – not only middle managers, not only factor floor workers, not only C-suite members. The change agent helps you avoid cynicism, helps you sell the need for change, helps you stay on course or adapt as needed throughout the process. Hence change agents should:
- Not be appointed but sought out because they share your vision for what the benefits of the change will be
- Be respected among their peers
- Have insight about the business processes and the ability to ask tough questions
Having a team of change agents will make the process smoother, and it will make true involvement of employees much easier because they already enjoy peer level trust.
Seek out barriers to change and deal with them
People don’t like change. That is why it is so difficult to succeed with it. You need to seek out barriers to change and deal with them in a reasonable manner.
Take the Dropbox ban that was introduced in the CISO’s previous company. How could they have better worked with that need? The first barrier to this change is that people say the provided cloud storage solution doesn’t fit their needs. This may or may not be the case, but that people feel this is the case is a real problem.
- Ask people what does not work with the corporate solution that Dropbox solves for them
- Check if people have received information and training on how to use the corporate tools. Make sure this happens well in advance of a “ban”. Change the coporate solution if it doesn’t fit the actual needs.
- Start nudging people towards using the approved solution by actively sharing from it, have managers request a “Onedrive link” or similar instead of a “Dropbox share”.
- Make sure everyone understands why the change is necessary.
- Set a deadline for transitioning to the new way of working.
Keywords: time and involvement before complaince. Remove the barriers if you can, and give people time to adjust.
Celebrate small wins
Change is hard, and it requires people to make an effort to do something in a new way, or to accept that something they used to rely on is no longer available. When a change has been introduced and the new way of doing things is successfully working, show appreciation of the effort it took to get there. Even if not all change objectives have been reached yet, make sure those that have been accomplished are made visisble, including the benefits this brings to the organizaiton.
Sustaining “the new normal”
Sometimes organizations make an effort to introduce new security behaviors, a new technology, and after one year it is back to the old way of doing things. Regression is not acceptable, and making an effort to sustain “the new normal” as part of the organization’s culture is very important.
- Leaders and change agents must stay on track
- Update corporate training to fit with the new way of doing things as the default way of doing things. If you created elearning content on “why we are changing to this new concept”, that elearning is outdated when this is your standard mode of operation. Awareness training is about “what we do and why we do it” not about “what we wanted and why we wanted it”.
- Make benefits of the new way of doing things visible over time. If your change was to introduce two-factor authentication on webmail, share the number of times this has stopped hackers form getting access with everyone.