It can be difficult to make security a permanent and default behavior within your company, and organizational change management is an unpopular topic in the security industry. After over 30 years of enforcing security through technology changes and re-engineering, the effects on people — and effects of people’s actions — are still not top of mind.

Many companies have conducted communications campaigns with some success. We have certainly spent more and more money each year on security — if you consider effects of the millennial generation joining the workforce and buying our products, the user community is arguably more technologically astute and security-aware than ever before. Yet adoption remains low, and user behavior is still among the leading causes of security vulnerabilities.

Organizational Change Management Challenges

In typical organizational change management — such as with restructuring, divestitures or large software package implementations — opposition is expected. There is often an emotional attachment to the old way of doing things and a wariness of change in general. These changes follow the Kubler-Ross Change Curve:

While this life cycle is common, I frequently see a different pattern, since changes affecting security are not typically as emotional as other organizational shifts. Instead, users experience other unique challenges such as confusion, avoidance, slow adoption and frustration.

Since security typically affects technology and processes, users need reminders and repetition, particularly for infrequent tasks and responsibilities. For example, if the user access recertification tool and policies change, users are only affected every 90 or 180 days. Security leaders must reinforce best practices often to encourage users to build new behaviors.

A Holistic Approach to Change Management

Instead of technology and processes, we need to focus on our people by communicating and taking a holistic approach to security. A well-used model of this holistic approach shows how vision, skills, incentives, resources and action plans affect organizational change. I’ve adapted this model slightly to represent change management in terms of security and user behavior:

This custom model for change management includes the following components:

  • Mindset is the understanding of what security is, what it does for the organization and how it affects individuals, plus a healthy dose of fear, uncertainty and doubt (FUD). Without this clarity, users are left confused about why security is so important and what success looks like.
  • Skills include the knowledge and ability, gained through training or practice, to adopt the change. Absent the right skills, users are anxious about how to do their work and how to adopt the change.
  • Incentives reward users for adopting secure behaviors. These may be balanced with consequences for failure to follow security best practices. Slow adoption can result in poorly defined and enforced incentives.
  • Resources are the supporting items that provide information and assistance so users don’t have to rely purely on memory. It also includes the technologies and executive sponsorship necessary to conduct business more securely.
  • Action plans consist of defined activities, timing, dependencies and responsible parties to affect the change. A team that lacks an action plan may experience false starts and repeated failures.
  • Leadership is what ties these concepts together with a consistent voice and unified vision. That doesn’t mean totalitarian command and control. Rather, in the words of decorated Navy Seals and authors Jocko Willink and Leif Babin, “there are no bad teams, only bad leaders.”

Define the Approach Before the Details

Incorporating this model and these six areas is not as hard as it seems. The primary mechanisms are communications and a strategic plan. The most essential question to ask in developing an approach is, “Are we reaching the right people with the right message at the right time?”

It’s common for technologists to jump right into planning email campaigns to announce changes. After all, who doesn’t have email? However, that is rarely the right first step, and it’s probably not the best communication channel. Instead, start by deciding on a strategic approach: low-touch versus high-touch; email versus verbal; presentation versus conversation; collaborative versus directive; and top-down versus bottom-up.

As you and your team work through the many options and try to answer the question posed above, you will find that every audience is slightly different. Therefore, security leaders must be intimately familiar with the organizational culture.

For example, high-touch, top-down, verbal presentations in small audiences are usually effective for executives in a sales-focused culture, but not for call centers with hundreds of employees. Similarly, your customers are unlikely to sit through a 30-minute video about your new password policy — anything more than a 60-second message will likely fall on deaf ears.

Devising a Change Management Plan

After defining the strategic approach, we need a way to systematically plan, monitor and collaborate among the team. This calls for a concrete change management plan. The first thing to build is a list of stakeholders — either individuals or groups of people — and their communication needs. This could be a long list; I have seen lists of stakeholders with more than 50 rows.

Once you know who is affected and how they prefer to receive information, identify the action, timing and dependencies, key messages and resources. Some communications and resources can be sent to multiple stakeholders, so it’s important to keep the list of activities separate from the user list. Once both are defined, it’s possible to complete the last step: Fold the lists together into a final matrix by assigning the appropriate audience to each action, as shown below.

This change management plan becomes the embodiment of the action plan referenced above. If done well, it will address all the other elements of success. All communications and resources should build understanding and encourage users to buy into the change. The necessary skills should be delivered through these communications, particularly training and supporting resources.

These communications should be recurring and continually improved to support users’ growth. Asking executives to influence behaviors and changing personal performance metrics — two of the most effective mechanisms — require coordination and actions that can be tracked. Creating content for resources is often a time-consuming activity that requires collaboration among experts, reviews, approvals and periodic updates.

Putting The Plan Into Action

Leadership, or the intangible skill required to drive change management activities, should be manifested at all levels of the security team. In my experience, changes to technology and process, which affect such a large user community, require unique skills to lead.

Occasionally, larger programs require the singular leadership of an articulate and organized person who can influence people up and down the line. A security program needs a structure, and this communications leader must be included. Select and assign this person carefully, because a lot of responsibility will fall on his or her shoulders.

By creating a thoughtful and intentional plan, security practitioners can make longer lasting changes, and increase adoption and awareness throughout the company. This type of investment in empathy and understanding will pay many intangible dividends, strengthen the organizational culture and reduce overall security risks.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…