12 Jan Organisational Change Management
Information security programmes are built on assessing risks and understanding what changes are required to make the unacceptable, acceptable. Information security objectives are reached through successful changes that usually overarch whole organisations or whole business units. In a time where the only constant in organisations, is the constant change, knowing and understanding how to manage change successfully can help any security professional get positive results in whatever objective they are trying to achieve.
The implementation of information security in an organisation requires continuous changes in a business’ processes, operations, governing policies, technologies and most importantly it requires changes in an organisation’s culture. For security to work, it needs to be engrained into the culture of the organisation and a change in culture can only be achieved after long-term roadmap of continuous organisational changes. This is why I strongly believe that understanding the psychology of an organisational change can be vital to a security program being successful.
I have found that implementing a security technology control or documenting a security procedure can be the easiest part of an information security initiative. The technology used can be the best in the market, or the procedure can be as well written as a Shakespearean play, but if it is not accepted by the organisation and most importantly by the people that make up this organisation, the initiative will not have the desired impact, if any impact at all.
Many a times the unfreeze – change – freeze model for managing organisational change applies in making information security an integral part of the organisation and a top priority in the business. Lewin’s change model compare organisational management to having a frozen block of ice and needing to change its shape. You must first know what shape you want the ice to be, melt the ice, create the shape, and re-freeze the ice into your newly formed shape.
In applying this model for changes required to mitigate risk, I usually make sure the objective of the change is understood, communicated, implemented and with time made part of the status quo. This processes allows the objective to be met, gets people on board, and aids in the continuous change in culture required for security to be successful in any organisation.
As with any organisational change, a security in a security initiative should be planned and assessed to ensure it is applicable to the organisation within which it is being pushed. My most successful projects have been those where planning included understanding how the change would impact and who it would impact. I involved major stakeholders from the start, taking onboard their input whilst making sure that they were aware why the change needed to happen and how it is for the greater good of the organisation. For a change to be successful, before even started, it must be sold to whoever is going to be effected. Whilst they don’t always want the change, at least they feel respected enough to be informed before it has happened, and are equipped with the knowledge to understand why the change was needed. This is what usually makes up the “Unfreeze” part of the change.
After a change is properly planned, communicated, documented and initiated, it will need time to become part of the organisation’s way of doing things. In other words, people, processes, technologies will need to adjust. This takes some getting used to and whilst planning might have ironed out a number of issues, this does not mean the change will come with no resistance. Any information security change that is desired to impact and mitigate will involve resistance. Getting the main stakeholders on board, does not mean an organisation-wide change will go down well with everyone.
What the study of organisational change management has helped me to understand though is that resistance is nothing other than feedback. Any feedback, positive or negative, is vital to a change being successful. We must listen to the feedback after a change is initiated, take it onboard, and if needs be adapt and continuously mould the initiative Feedback should never be ignored and with time the change will become part of the organisation’s processes, controls, technologies – referred to as the “freeze” part of the process.
I have mostly worked in organisations where the information security maturity needed to be built from the ground up. This meant heavy changes in short periods of time to quickly mitigate unacceptable risks. I do believe I was successful in integrating information security into organisations’ culture, by following organisational change management principles and by seeing them as foundational to information security management.
There are a number of organisational change management philosophies and psychologies that I apply in my day-to-day work. I have mentioned some at a high-level in this post today, but will dedicate posts to individual topics in the weeks to come.
The above post is a reflection of my personal opinion and in no way reflects nor is related to my employment.