It can be difficult to make security a permanent and default behavior within your company, and organizational change management is an unpopular topic in the security industry. After over 30 years of enforcing security through technology changes and re-engineering, the effects on people — and effects of people’s actions — are still not top of mind.

Many companies have conducted communications campaigns with some success. We have certainly spent more and more money each year on security — if you consider effects of the millennial generation joining the workforce and buying our products, the user community is arguably more technologically astute and security-aware than ever before. Yet adoption remains low, and user behavior is still among the leading causes of security vulnerabilities.

Organizational Change Management Challenges

In typical organizational change management — such as with restructuring, divestitures or large software package implementations — opposition is expected. There is often an emotional attachment to the old way of doing things and a wariness of change in general. These changes follow the Kubler-Ross Change Curve:

While this life cycle is common, I frequently see a different pattern, since changes affecting security are not typically as emotional as other organizational shifts. Instead, users experience other unique challenges such as confusion, avoidance, slow adoption and frustration.

Since security typically affects technology and processes, users need reminders and repetition, particularly for infrequent tasks and responsibilities. For example, if the user access recertification tool and policies change, users are only affected every 90 or 180 days. Security leaders must reinforce best practices often to encourage users to build new behaviors.

A Holistic Approach to Change Management

Instead of technology and processes, we need to focus on our people by communicating and taking a holistic approach to security. A well-used model of this holistic approach shows how vision, skills, incentives, resources and action plans affect organizational change. I’ve adapted this model slightly to represent change management in terms of security and user behavior:

This custom model for change management includes the following components:

• Mindset is the understanding of what security is, what it does for the organization and how it affects individuals, plus a healthy dose of fear, uncertainty and doubt (FUD). Without this clarity, users are left confused about why security is so important and what success looks like.
• Skills include the knowledge and ability, gained through training or practice, to adopt the change. Absent the right skills, users are anxious about how to do their work and how to adopt the change.
• Incentives reward users for adopting secure behaviors. These may be balanced with consequences for failure to follow security best practices. Slow adoption can result in poorly defined and enforced incentives.
• Resources are the supporting items that provide information and assistance so users don’t have to rely purely on memory. It also includes the technologies and executive sponsorship necessary to conduct business more securely.
• Action plans consist of defined activities, timing, dependencies and responsible parties to affect the change. A team that lacks an action plan may experience false starts and repeated failures.
• Leadership is what ties these concepts together with a consistent voice and unified vision. That doesn’t mean totalitarian command and control. Rather, in the words of decorated Navy Seals and authors Jocko Willink and Leif Babin, “there are no bad teams, only bad leaders.”

Define the Approach Before the Details

Incorporating this model and these six areas is not as hard as it seems. The primary mechanisms are communications and a strategic plan. The most essential question to ask in developing an approach is, “Are we reaching the right people with the right message at the right time?”

It’s common for technologists to jump right into planning email campaigns to announce changes. After all, who doesn’t have email? However, that is rarely the right first step, and it’s probably not the best communication channel. Instead, start by deciding on a strategic approach: low-touch versus high-touch; email versus verbal; presentation versus conversation; collaborative versus directive; and top-down versus bottom-up.

As you and your team work through the many options and try to answer the question posed above, you will find that every audience is slightly different. Therefore, security leaders must be intimately familiar with the organizational culture.

For example, high-touch, top-down, verbal presentations in small audiences are usually effective for executives in a sales-focused culture, but not for call centers with hundreds of employees. Similarly, your customers are unlikely to sit through a 30-minute video about your new password policy — anything more than a 60-second message will likely fall on deaf ears.

Devising a Change Management Plan

After defining the strategic approach, we need a way to systematically plan, monitor and collaborate among the team. This calls for a concrete change management plan. The first thing to build is a list of stakeholders — either individuals or groups of people — and their communication needs. This could be a long list; I have seen lists of stakeholders with more than 50 rows.

Once you know who is affected and how they prefer to receive information, identify the action, timing and dependencies, key messages and resources. Some communications and resources can be sent to multiple stakeholders, so it’s important to keep the list of activities separate from the user list. Once both are defined, it’s possible to complete the last step: Fold the lists together into a final matrix by assigning the appropriate audience to each action, as shown below.

This change management plan becomes the embodiment of the action plan referenced above. If done well, it will address all the other elements of success. All communications and resources should build understanding and encourage users to buy into the change. The necessary skills should be delivered through these communications, particularly training and supporting resources.

These communications should be recurring and continually improved to support users’ growth. Asking executives to influence behaviors and changing personal performance metrics — two of the most effective mechanisms — require coordination and actions that can be tracked. Creating content for resources is often a time-consuming activity that requires collaboration among experts, reviews, approvals and periodic updates.

Putting The Plan Into Action

Leadership, or the intangible skill required to drive change management activities, should be manifested at all levels of the security team. In my experience, changes to technology and process, which affect such a large user community, require unique skills to lead.

Occasionally, larger programs require the singular leadership of an articulate and organized person who can influence people up and down the line. A security program needs a structure, and this communications leader must be included. Select and assign this person carefully, because a lot of responsibility will fall on his or her shoulders.

By creating a thoughtful and intentional plan, security practitioners can make longer lasting changes, and increase adoption and awareness throughout the company. This type of investment in empathy and understanding will pay many intangible dividends, strengthen the organizational culture and reduce overall security risks.