{"id":1685,"date":"2025-01-29T06:00:00","date_gmt":"2025-01-29T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1685"},"modified":"2025-01-29T06:00:00","modified_gmt":"2025-01-29T06:00:00","slug":"want-to-be-an-effective-cybersecurity-leader-learn-to-excel-at-change-management","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1685","title":{"rendered":"Want to be an effective cybersecurity leader? Learn to excel at change management"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

If there\u2019s one thing that\u2019s inevitable in cybersecurity, it\u2019s change. Ever-evolving technology requires new protections, threats seem to multiply and morph on a daily basis, and even the humblest pieces of software and hardware demand constant updating to stay secure.<\/p>\n

That work has been increasing as the importance, visibility, and impact of security initiatives have ramped up in recent years. Now, more than ever, security programs often require stakeholders within and sometimes even outside<\/a> an organization to change workflows, practices, and behaviors.<\/p>\n

A disciplined approach to change management in security is a must, says Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO. \u201cThe idea is, if you\u2019re going to make changes, there is a path you have to bring people down and it starts with \u2018Here\u2019s what we want to do,\u2019\u201d Knapton tells CSO.<\/p>\n

To effectively lead organizations through change, Knapton uses a chart that maps the multiple steps necessary to successfully adopt new ways of working. The chart plots the movement from awareness and understanding of the desired change through compliance and adoption to, ultimately, internalization. It also lists the myriad consequences of resistance (including sabotage and canceled projects).<\/p>\n

Knapton had successfully used this approach as a CIO. As he has more recently taken on CISO duties, he\u2019s applying those same change-management skills to ensure that new security processes, policies, and technologies are adopted effectively.<\/p>\n

Cybersecurity leaders need to widen their change-management skills<\/h2>\n

\u201cToo often security leaders say, \u2018We are going to do this because we have to\u2019 without helping people along the path. That\u2019s because they think everyone is going to jump on board. But that doesn\u2019t work,\u201d Knapton says.<\/p>\n

\u201cYou have to be constantly looking at how people are reacting to change and help them move along the positive path from acceptance [to internalization].\u201d<\/p>\n

To be sure, CISOs have long had some change management work as part of their responsibilities.<\/p>\n

\u201cMost CISOs are running significant initiatives including cloud migration; zero trust architecture; technology upgrades; proactive threat hunting; and insider threat, digital identity, and human risk management programs. Far from being purely technology programs, these initiatives require a fair dose of people, process, oversight, and technology knowledge,\u201d says Jinan Budge, a vice president and analyst at Forrester Research.<\/p>\n

\u201cThe opportunity to implement broad change in an organization requires a new breed of skills,\u201d she adds.<\/p>\n

With that in mind, here are 10 steps CISOs looking to up their change management effectiveness may find worth trying.<\/p>\n

1. Seize the role<\/h2>\n

\u201cChange happens all the time, everywhere, whether you notice it or not. This leaves the CISO with a simple choice: Drive change or follow it,\u201d says Budge, author of \u201cA CISO\u2019s Guide To Leading Change<\/a>.\u201d<\/p>\n

She advises CISOs to seize the role of change agent and be willing to lead others forward. \u201cCISOs need to decide if they\u2019re primarily a leader or a techie,\u201d she explains. \u201cThis is a conscious decision that a CISO has to make at some point in their career \u2013 how much of their current success is a result of their technical knowledge, and how much is the result of their ability to collaborate and persuade. They will eventually need to stand up as a leader, not hunker down behind a keyboard.\u201d<\/p>\n

2. Start early<\/h2>\n

Security should never be an afterthought; the change management process shouldn\u2019t be, either, says Michael Monday, a managing director in the security and privacy practice at global consulting firm Protiviti.<\/p>\n

\u201cThe change management process should start early, before changing out the technology or process,\u201d he says. \u201cThere should be some messages going out to those who are going to be impacted letting them know, [otherwise] users will be surprised, they won\u2019t know what\u2019s going on, business will push back and there will be confusion.\u201d<\/p>\n

3. Focus on the business benefits<\/h2>\n

Effective CISOs drive security changes by focusing on the business benefits those changes bring, Monday says.<\/p>\n

Monday has seen the evidence: He worked with a CISO at a financial services company that led a password policy change impacting the firm\u2019s customers. The CISO teamed up with business leaders to anticipate customer concerns and craft messages on why the password policy changes would help deter fraud and better safeguard the customers\u2019 assets. \u201cThe communication was put in business terms,\u201d Monday says.<\/p>\n

4. Identify then lean on allies<\/h2>\n

Like others, seasoned security leader Ed Moyle has seen an increasing need for CISOs to shepherd teams through new ways of work as a result of a security need \u2014 necessitated by, for example, a new regulatory requirement or an organization-wide initiative such as a move to a zero-trust<\/a> framework.<\/p>\n

\u201cIt\u2019s often the CISO who now has to push these new things,\u201d says Moyle, a former CISO, founding partner of the firm SecurityCurve, and a member of the Emerging Trends Working Group with the professional association ISACA. In his experience, Moyle says he has seen some workers more willing to change than others and learned to enlist those workers as allies to help him achieve his goals. He says CISOs should identify such workers and have them champion both the \u201cwhy\u201d behind the change and act as ambassadors and guides for the change.<\/p>\n

Nick Kramer, leader of applied solutions at SSA & Co., a global consulting firm advising companies on strategic execution, similarly advises CISOs to seek out and organize influencers as a way to drive needed change.<\/p>\n

\u201cStart with them,\u201d Kramer says. Get them to understand the reasons for the change and work with them to identify \u201cthe really practical things you need to do to implement change. Set up teams of cross-functional stakeholders and give them clear charters and clear success milestones. These are the ones who will influence and support their peers, who can explain [what\u2019s happening] in ways that peers understand and believe, and who can explain all that in the right tone and in the right language and in the right context of experience.\u201d<\/p>\n

5. Collaborate with impacted stakeholders<\/h2>\n

Like most security chiefs, Kyle Lai has faced pushback on security initiatives he has led. He cites as case in point a past effort to insert security into an existing DevOps practice. Even though the company had a top-down culture, where teams were expected to follow executive directives, Lai says developers didn\u2019t rush to embrace the security processes he was introducing into their workflow.<\/p>\n

\u201cThey were more like, \u2018We\u2019re happy to do this, as long as you don\u2019t slow us down,\u2019\u201d says Lai, president and CISO with KLC Consulting.<\/p>\n

Lai addressed such concerns head-on, demonstrating how the new security measures \u2014 such as vulnerability scans \u2014 would enable, not detract, from the speediness the DevOps teams valued and would help teams to ultimately deliver better products overall.<\/p>\n

He also identified team members who would make good security champions, trained them on the new processes, incentivized them to spread the word and sought their input.\u201cThey had the right knowledge to communicate to their community and they could reach back to us when there were issues or concerns. It helped us figure out what would actually work well,\u201d Lai says.<\/p>\n

6. Focus on the 3 Ps<\/h2>\n

To successfully manage change, Budge also advises CISOs to \u201calways think of the 3 Ps: people, process, and politics.\u201d<\/p>\n

When it comes to the people portion, she tells CISOs to \u201cfeed supporters and manage detractors.\u201d<\/p>\n

As for process, \u201cidentify the key players for the security program and understand their perspective. There are influencers, budget holders, visionaries, and other stakeholders \u2014 each of which needs to be heard, and persuaded, especially if they\u2019re a detractor.\u201d<\/p>\n

And when it comes to politics, CISOs must view it as \u201can opportunity to understand and engage people. It\u2019s essential to understand how people at different levels are likely to react to the strategy and steer them toward the correct outcome once you present it for consideration. In a corporate environment, politics is not an optional activity. So, sit down and listen without judgment.\u201d<\/p>\n

She \u201chas seen CISOs avoid politics, and miss out on understanding why their stakeholders will not support them\u201d but has also observed CISOs who treat politics as an \u201copportunity,\u201d citing one CISO who found that \u201cif you understand what people are actually saying as part of raising their comments and take that as an opportunity to turn their concern into a solution, it becomes a different conversation.\u201d<\/p>\n

7. Build up trust, goodwill<\/h2>\n

Moyle says his experience shows that people are willing to follow his lead if they already trust him and have a good rapport. So he has seized on opportunities to create that goodwill in advance, knowing it pays off.<\/p>\n

For example, when new documentation requirements were introduced to an engineering team, he offered to work with team members to fill in the needed information. He says the move built political capital. \u201cIt was about being a trusted partner and someone who is willing to help. So, when the time came to get new security things done, I was able to leverage that goodwill.\u201d<\/p>\n

8. Enlist other executives<\/h2>\n

Some CISOs may find that, either because of their position in the org chart or because of the organization\u2019s culture, they \u201caren\u2019t elevated enough to carry the umph needed to lead change\u201d on their own, so they need to lean on the CIO or other executives, Monday says.<\/p>\n

In such cases, CISOs should be ready to educate their executive partners on the details of the security change that needs to happen and the why behind it but then let the \u201cWe must change come from others at the top,\u201d Monday adds.<\/p>\n

9. Hire staff skilled in change management<\/h2>\n

Budge is emphatic about this step, saying \u201cAlways, always, always hire at least one person, if not a team, of change managers with formal change management skills.\u201d<\/p>\n

10. Tackle any organization-wide resistance to change<\/h2>\n

Security executive Tyson Kopczynski says CISOs have increasingly become successful change agents who are able to rally others to their visions. Just look at any organization that has successfully moved to more secure ways of authentication in recent years, he says.<\/p>\n

\u201cTo do that, CISOs have to orchestrate across the entire organization. They start by building demand and then lead the change,\u201d he says.<\/p>\n

\u201cBut while a lot of CISOs are mastering this capability and this skill, the overall organization in many cases is dysfunctional when it comes to digital change. And if the overall organization doesn\u2019t have the capacity to change, then the CISO as an agent of change is not scalable,\u201d Kopczynski says. \u201cThere are only so many things that the CISO can lean into before hitting that proverbial wall. This is a fundamental falling down point for many organizations.\u201d<\/p>\n

Kopczynski, co-founder and CISO in Resident of the Professional Association of CISOs as well as the author of the post \u201cThe Perils of Poor Change Management<\/a>\u201d, says CISOs in such cases must find ways to not only guide security-related changes but also inspire the organization to embrace change in general.<\/p>\n

\u201cYou have to build a case around the organization itself building those capabilities by working with the CTO, business leaders, product folks,\u201d he explains. \u201cThe CISO has to say, \u2018We need to build this capability and have it function across the various business lines, so we can sustain change and move faster. So the next step for a CISO to mature themselves is to say, \u2018I\u2019ve got to work upstream.\u2019 It\u2019s an opportunity for them to show they are true business leaders.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

If there\u2019s one thing that\u2019s inevitable in cybersecurity, it\u2019s change. Ever-evolving technology requires new protections, threats seem to multiply and morph on a daily basis, and even the humblest pieces of software and hardware demand constant updating to stay secure. That work has been increasing as the importance, visibility, and impact of security initiatives have […]<\/p>\n","protected":false},"author":0,"featured_media":1686,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1685"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1685"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1685\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1686"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}