Keep The Change?
(or change your plans!)
“The only thing that is constant is change.”
The ancient philosopher Heraclitus first coined the cliché, and just about every culture and corporation has adopted some form of it as part of a plan to adapt, improve, or expand.
And its companion cliché, “Adapt or Die” seems apropos for the time and season we currently find ourselves, given the dramatic rise in cyber events and outright hostilities between organizations, nations, cultures, and people.
From a cybersecurity perspective, the notion of “Adaptive Change Management,” goes beyond just looking at password length and firewall settings. With the advances in technologies being used to attack our critical infrastructures, organizations have to consider more than a few new tools to stay ahead of the bad guys, and that might first require a change in how “Risk” is viewed and addressed within the business’ operations.
Dr. John Kotter at Harvard University identified a series of factors, which—when integrated with a focus on cybersecurity and critical infrastructures—may help your business better embrace the ever-changing threat landscape that you may or may not be aware of.
Experience has shown that managing change is a difficult and often expensive proposition—especially in cultures where “That’s the way we’ve always done things” rules the halls. Part of the challenge, however, is that few factors are considered “Common Ground” on which to build an effective transition platform (at least where internal Corporate Cultures are concerned), and as a result, transforming initiatives, specifically pertaining to how to implement new security policies, processes, technologies, and mandates, often fall out of balance and out of touch with what senior leadership expects, vs what gets delivered at the end of the day.
So, with a nod to Dr. Kotter and his work at Harvard on the subject of “Change,” and how we can adapt these concepts to improving critical security infrastructures, let’s look at each of his “Change Factors” that can help improve our respective security maturity scales.
1. Identify a Champion (i.e., “Change Agent”).
For a change of any real substance to occur, a sense of urgency must be created. This urgency might occur as a result of actions imposed upon an organization by outside forces (a ransomware attack, etc.), or it may occur as a result of a self-imposed action, such as a new mandate from a governing body, or directive from the Board. In his Forbes article, “Every Leader Must Be a Change Agent or Face Extinction,” Glen Lloopis writes, “When was the last time you asked about the role that technology plays in your business?” Relying on a single point of contact, such as the CTO, says Lloopis, folks throughout the C-level team and beyond must become more aware of an organization’s dependency on technology–and especially on how “Risk” is weighed in the balance between People, Process and Products.
The Champion’s role (whether out of a response to an incident or as part of the day-to-day operations), is “willing to push for improvement even when entrenched interests and processes resist,” according to ZDNet’s Michael Krigsman.
2. Establish Operational Urgency.
Change, at least in the context of implementing new security controls and tactics throughout an operational infrastructure, is initiated by a Change Agent. “People must take action on information,” writes FHL Bank Atlanta’s Cathy Adams. “They must exercise vigilance to monitor and maintain systems continually.” Adams adds that organizations–regardless of the sector–must become better “at tracking risks and understanding how these risks integrate into the organization.” Examples of a sense of urgency might be suggested when an organization’s primary competition is exceeding its growth expectations, or when something bad happens to a peer organization (or within the host company).
Change Agents are often assigned tasks after-the-fact, and often feel a greater sense of urgency. Getting the rest of the group to “come along” (so to speak) becomes the first challenge, and often requires teams to work from the inside out (rather than trying to introduce an external process or resource that may be seen as threatening).
3. Create Coalitions of Support.
“Keep your friends close and your adversaries closer” may have been a phrase coined by Mario Puzo’s fictional Michael Corleone, but the axiom has become a staple of conflict resolution. In the corporate world, executives often find themselves at odds with factions within the rank and file—usually with those who are farther away from the leadership ranks than are the “Front Office” folks. To get people on board with needed changes/improvements, the need to identify leaders among all levels of the organization becomes mission-critical, through which a sense of emotional commitment may be secured and unified.
Once such a coalition comprised of a mix of perspectives and roles is organized, it’s important to build the team into a group of “stakeholders,” whose critical infrastructure security interests (such as protecting the “Crown Jewels” or managing a merger and acquisition transition), are kept in the forefront of reinforcing the need for change throughout the organization.
4. Define a Mission-critical Vision.
There’s a difference between being the “Idea Guy” and the Go-to Guy. In this fourth principle, a well-articulated strategy for what is needed (i.e., improving the SOC, moving open tickets faster through the process, establishing a comprehensive IR strategy, sun-setting old technology, etc.), is essential to successfully affect change and improving an operation. In their “Security Atlas Guidebook,” the team at PWC describes five key disciplines a CSO-cum-Visionaryneeds to balance:
- Assess: Understand where you are and where you want to be
- Analyze: Conduct analyses that will give you actionable insight
- Strategize: Build a strategic implementation roadmap
- Align: Maintain strategy as a dynamic, continuous process
- Communicate: Improve consensus-building, messaging, and reporting
5. Reinforce Effective Communication Protocols.
Leaders must establish a “shared strategy/outlook with a set of priorities.” As well, there were several examples given of how Oswald took further broad-based action to ensure management support, including scheduling an all-employee meeting, where he explained how the company was going to take necessary steps to improve its financial situation, and providing a forum for employee input prior to instituting any policy changes.
I was asked in a recent conversation with an IT leadership team at a medium-sized medical device manufacturing company, what I thought was the best way to address the issue of reinforcing the need for greater accountability in keeping cross-functional teams current on security practices and “good housekeeping.” Through ongoing training sessions, as well as by simply reviewing (or establishing) a basic ISMS, CSOs and supporting teams can begin the task of establishing a “shared strategy/outlook with a set of priorities.”
6. Remove Obstacles that may Confuse the Mission.
No matter how small (or large) an organization is, there’s always a nay-sayer in the midst. Human nature, perhaps, is to immediately start out a conversation about change with, “That will never happen,” or, “It will never work.” This mentality is especially dangerous where protecting critical infrastructures is concerned.
While obstacles of all kinds (logistic limitations, staffing inefficiencies, supply chain management issues, resource shortfalls, etc.), may impact the overall outcomes of an organization’s drivers, obstacles involving simple human nature (the “Nay-sayer Factor”), may be removed, or at least reduced to a manageable level, by identifying and hiring change agents whose roles are to ensure the necessary changes are implemented.
From a different perspective, however, Fast Company’s Art Markman suggests in a “4 Minute Read” that when everyone is on the same page, ideas become stale:
“Most people start their discussions of opinions that disagree with their own by finding reasons why that conflicting opinion is wrong.” Markman points out that by recognizing the value of colleagues (and subordinates) whose opinions may differ from your own creates “an environment that promotes free exchange,” which often results in better ideas and better solutions to addressing business and security challenges.
7. Identify & Highlight Short-term Wins.
In medium and large organizations, ofttimes, small actions may be considered short-term wins, but from a sense of overall success in seeing an organization move its security initiatives forward, human nature might suggest that people—especially in a workplace—like to know where they fit into the Big Picture and that what they are doing is having a direct impact on the overall success of the operation. As a result, implementing a new tool or a new policy is not only not enough of a success measurement—it often becomes a matter of confusion if taken out of context from what the organization is hoping to achieve on the “Big Picture” side of things.
To motivate a team, there’s nothing better than experiencing success—no matter how small the success may be. This principle reinforces the need to see small gains as a means of measuring long-term progress (not to be mistaken for long-term success, however).
8. Transition from Small Wins to Establishing a Baseline Operational Policy.
Organizations looking to ramp up a security awareness effort need look no further than to such resources as the NIST 800 Cybersecurity Framework or the PCI Security Standards Council for comprehensive implementation plans. But getting to a comprehensive operational model and implementing it throughout the organization isn’t going to happen overnight.
Activities that support a permanent change in the culture of an organization’s security practice may include examples such as the regularly-scheduled employee meetings and postings, establishing strong training, and “self-guided” performance improvements for those who are responsible for the processes and policies associated with the organization’s protection of critical assets.
9. Fortify Change within the Corporate Culture.
Activities that support a permanent change in the culture of an organization’s security practice may include examples such as the regularly scheduled employee meetings and postings, establishing strong training, and “self-guided” performance improvements for those who are responsible for the processes and policies associated with the organization’s protection of critical assets.
Conclusion. The old adage “It’s a balance between People Process and Products” when describing how to best implement a strong security defense may be true, but as any good leader will attest, everything starts with how the teams understand and believe in the objectives associated with protecting the business. And when your organization is ready to look for a change in how it evaluates and manages cyber risk, Guidacent has a four-tiered Cybersecurity service offering that is tailored for any size business and any budget.
Give us a call—we’ll make sure there’s plenty of “Change” left in the coffers!