5 change principles every CIO can apply to cyber security

I’m currently working with an organisation going through significant IT transformational change.  These are exciting times where change is being carefully managed and the impact on people is reflected on at every turn. Observing and being part of this change got me thinking - How many organisations are considering the careful management of change when it comes to introducing or uplifting cyber security?  How is the effectiveness of change in security culture or maturity being measured outside of security-focussed audits?

Back in 2012, Professor Mark Mueller-Eberstein delivered a ted talk ‘Lead and be the change’.  Watching this during the week, I thought about how CIO’s (and others) might benefit from overlaying Professor Mueller-Eberstein’s change principles when it comes to supporting their security leader’s strategy and instilling security practices as a way of life in the organisation. When it comes to cyber security, consider the following:

1.    Have a clear vision.  If you’re bringing in a new leader to facilitate an uplift in security, ask yourself, exactly why are you hiring and what are they here to achieve? (more on this here).  You need to do the hard thinking on this early, socialise it and promote it across your business, your exec and your Board. A lot of change programs fail because they don’t have a clear vision that’s achievable and understood by the relevant stakeholders.

2.    Clarify the impact of not changing.  This doesn’t mean you need to spread fear.  Simply articulate what ‘doing nothing’ about security could mean for your business today and in the future.  This is a driver for change.

3.    Communicate. Communication isn’t about sending out an email or a news article. It’s about allaying fears, dealing with where people are on the change curve (anger, frustration, scepticism, impatience - to name a few) and expressing what’s in it for them.  Sometimes people won’t get on the bus until they know how they will be personally, positively impacted.

4.    Team Up – leverage people in the business who have diverse roles to raise the profile of the security change occurring. Surround yourself with supporters.  Bring execs to your face-to-face security events, empower project leaders to build security into their lifecycle, use the marketing team to help with your in-house security branding. Working together raises the profile and importance of your security message.

5.    Lead – Own the change.  Don’t leave the IT Security Manager/head of security/CISO to be the only one that’s visibly passionate and committed to the change.  You need to lead the charge.

Professor Mueller-Eberstein ends by encouraging the audience to celebrate the change.  This is great advice, especially when it comes to security.  Securing an organisation is not a destination….it’s a never ending journey (...an overused cliché but it remains true).  To instil new behaviours in staff and maintain buy-in, the change needs to be managed and monitored (and celebrated) to ensure long term success.  Have you considered how applying good change management principles can enhance your security journey?


Buy my book - ‘The Secure CIO’ here!