Organisational Change Management

Organisational Change Management

Information security programmes are built on assessing risks and understanding what changes are required to make the unacceptable, acceptable. Information security objectives are reached through successful changes that usually overarch whole organisations or whole business units. In a time where the only constant in organisations, is the constant change, knowing and understanding how to manage change successfully can help any security professional get positive results in whatever objective they are trying to achieve.

The implementation of information security in an organisation requires continuous changes in a business’ processes, operations, governing policies, technologies and most importantly it requires changes in an organisation’s culture. This is why understanding the psychology behind an organisational change can be vital to a security program being successful.

I have found that implementing a technology control or documenting a procedure can be the easiest part of an information security initiative. The technology used can be the best in the market, or the procedure can be as well written as a Shakespearean play, but if it is not accepted by the organisation and most importantly by the people that make up this organisation, the initiative will not have the desired impact, if any impact at all.


The unfreeze – change – freeze model

Many a times the unfreeze – change – freeze model for managing organisational change applies in making information security an integral part of the organisation and a top priority in the business. Lewin’s change model compares organisational management to having a frozen block of ice and needing to change its shape. You must first know what shape you want the ice to be, melt the ice, create the shape, and re-freeze the ice into your newly formed shape.

As with any organisational change, a change in a security initiative should be planned and assessed to ensure it is applicable to the organisation within which it is being pushed. This includes understanding who the change would impact and how it would impact them.

The objective of the change needs to be understood and well-communicated, before it is implemented and with time made part of the status quo. In my experience, I’ve found that involving major stakeholders from the start, taking onboard their input whilst making sure that they were aware why the change needed to happen and how it is for the greater good of the organisation, helped make a change successful. I found whilst stakeholders don’t always want the change, at least they feel respected enough to be informed before it has happened, and are equipped with the knowledge to understand why the change was needed.

I also find that unfreezing the organisation in parts also helps. Running pilots of the changing, learning from them and then adapting the target “shape” of the organisation, not only helps make the implementation of the change more successful but it also allows the results to help convince of the positive impact.

After a change is properly planned,  communicated, documented and initiated, it will need time to become part of the organisation’s way of doing things. In other words, people, processes, technologies will need to adjust. This takes some getting used to and whilst planning might have ironed out a number of issues, this does not mean the change will come with no resistance.  Any information security change that is desired to impact and mitigate will involve resistance. Getting the main stakeholders on board, does not mean an organisation-wide change will go down well with everyone.

Resistance as Feedback

Resistance is nothing other than feedback. Any feedback, positive or negative, is vital to a change being successful. We must listen to the feedback after a change is initiated, take it onboard, and if needs be adapt and continuously mould the initiative  Feedback should never be ignored and with time the change will become part of the organisation’s processes, controls, technologies – referred to as the “freeze” part of the process.

I have mostly worked in organisations where the information security maturity needed to be built from the ground up. This meant heavy changes in short periods of time to quickly mitigate unacceptable risks. I do believe I was successful in integrating information security into organisations’ culture, by following organisational change management principles and by seeing them as foundational  to information security management.

There are a number of organisational change management philosophies and psychologies that I apply in my day-to-day work. I have mentioned some at a high-level in this post today, but will dedicate posts to individual topics in the weeks to come.


The above post is a reflection of my personal opinion and in no way reflects nor is related to my employment.

No Comments

Post A Comment