Want to be an effective cybersecurity leader? Learn to excel at change management

If there’s one thing that’s inevitable in cybersecurity, it’s change. Ever-evolving technology requires new protections, threats seem to multiply and morph on a daily basis, and even the humblest pieces of software and hardware demand constant updating to stay secure.

That work has been increasing as the importance, visibility, and impact of security initiatives have ramped up in recent years. Now, more than ever, security programs often require stakeholders within and sometimes even outside an organization to change workflows, practices, and behaviors.

A disciplined approach to change management in security is a must, says Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO. “The idea is, if you’re going to make changes, there is a path you have to bring people down and it starts with ‘Here’s what we want to do,’” Knapton tells CSO.

To effectively lead organizations through change, Knapton uses a chart that maps the multiple steps necessary to successfully adopt new ways of working. The chart plots the movement from awareness and understanding of the desired change through compliance and adoption to, ultimately, internalization. It also lists the myriad consequences of resistance (including sabotage and canceled projects).

Knapton had successfully used this approach as a CIO. As he has more recently taken on CISO duties, he’s applying those same change-management skills to ensure that new security processes, policies, and technologies are adopted effectively.

Cybersecurity leaders need to widen their change-management skills

“Too often security leaders say, ‘We are going to do this because we have to’ without helping people along the path. That’s because they think everyone is going to jump on board. But that doesn’t work,” Knapton says.

“You have to be constantly looking at how people are reacting to change and help them move along the positive path from acceptance [to internalization].”

To be sure, CISOs have long had some change management work as part of their responsibilities.

“Most CISOs are running significant initiatives including cloud migration; zero trust architecture; technology upgrades; proactive threat hunting; and insider threat, digital identity, and human risk management programs. Far from being purely technology programs, these initiatives require a fair dose of people, process, oversight, and technology knowledge,” says Jinan Budge, a vice president and analyst at Forrester Research.

“The opportunity to implement broad change in an organization requires a new breed of skills,” she adds.

With that in mind, here are 10 steps CISOs looking to up their change management effectiveness may find worth trying.

1. Seize the role

“Change happens all the time, everywhere, whether you notice it or not. This leaves the CISO with a simple choice: Drive change or follow it,” says Budge, author of “A CISO’s Guide To Leading Change.”

She advises CISOs to seize the role of change agent and be willing to lead others forward. “CISOs need to decide if they’re primarily a leader or a techie,” she explains. “This is a conscious decision that a CISO has to make at some point in their career – how much of their current success is a result of their technical knowledge, and how much is the result of their ability to collaborate and persuade. They will eventually need to stand up as a leader, not hunker down behind a keyboard.”

2. Start early

Security should never be an afterthought; the change management process shouldn’t be, either, says Michael Monday, a managing director in the security and privacy practice at global consulting firm Protiviti.

“The change management process should start early, before changing out the technology or process,” he says. “There should be some messages going out to those who are going to be impacted letting them know, [otherwise] users will be surprised, they won’t know what’s going on, business will push back and there will be confusion.”

3. Focus on the business benefits

Effective CISOs drive security changes by focusing on the business benefits those changes bring, Monday says.

Monday has seen the evidence: He worked with a CISO at a financial services company that led a password policy change impacting the firm’s customers. The CISO teamed up with business leaders to anticipate customer concerns and craft messages on why the password policy changes would help deter fraud and better safeguard the customers’ assets. “The communication was put in business terms,” Monday says.

4. Identify then lean on allies

Like others, seasoned security leader Ed Moyle has seen an increasing need for CISOs to shepherd teams through new ways of work as a result of a security need — necessitated by, for example, a new regulatory requirement or an organization-wide initiative such as a move to a zero-trust framework.

“It’s often the CISO who now has to push these new things,” says Moyle, a former CISO, founding partner of the firm SecurityCurve, and a member of the Emerging Trends Working Group with the professional association ISACA. In his experience, Moyle says he has seen some workers more willing to change than others and learned to enlist those workers as allies to help him achieve his goals. He says CISOs should identify such workers and have them champion both the “why” behind the change and act as ambassadors and guides for the change.

Nick Kramer, leader of applied solutions at SSA & Co., a global consulting firm advising companies on strategic execution, similarly advises CISOs to seek out and organize influencers as a way to drive needed change.

“Start with them,” Kramer says. Get them to understand the reasons for the change and work with them to identify “the really practical things you need to do to implement change. Set up teams of cross-functional stakeholders and give them clear charters and clear success milestones. These are the ones who will influence and support their peers, who can explain [what’s happening] in ways that peers understand and believe, and who can explain all that in the right tone and in the right language and in the right context of experience.”

5. Collaborate with impacted stakeholders

Like most security chiefs, Kyle Lai has faced pushback on security initiatives he has led. He cites as case in point a past effort to insert security into an existing DevOps practice. Even though the company had a top-down culture, where teams were expected to follow executive directives, Lai says developers didn’t rush to embrace the security processes he was introducing into their workflow.

“They were more like, ‘We’re happy to do this, as long as you don’t slow us down,’” says Lai, president and CISO with KLC Consulting.

Lai addressed such concerns head-on, demonstrating how the new security measures — such as vulnerability scans — would enable, not detract, from the speediness the DevOps teams valued and would help teams to ultimately deliver better products overall.

He also identified team members who would make good security champions, trained them on the new processes, incentivized them to spread the word and sought their input.“They had the right knowledge to communicate to their community and they could reach back to us when there were issues or concerns. It helped us figure out what would actually work well,” Lai says.

6. Focus on the 3 Ps

To successfully manage change, Budge also advises CISOs to “always think of the 3 Ps: people, process, and politics.”

When it comes to the people portion, she tells CISOs to “feed supporters and manage detractors.”

As for process, “identify the key players for the security program and understand their perspective. There are influencers, budget holders, visionaries, and other stakeholders — each of which needs to be heard, and persuaded, especially if they’re a detractor.”

And when it comes to politics, CISOs must view it as “an opportunity to understand and engage people. It’s essential to understand how people at different levels are likely to react to the strategy and steer them toward the correct outcome once you present it for consideration. In a corporate environment, politics is not an optional activity. So, sit down and listen without judgment.”

She “has seen CISOs avoid politics, and miss out on understanding why their stakeholders will not support them” but has also observed CISOs who treat politics as an “opportunity,” citing one CISO who found that “if you understand what people are actually saying as part of raising their comments and take that as an opportunity to turn their concern into a solution, it becomes a different conversation.”

7. Build up trust, goodwill

Moyle says his experience shows that people are willing to follow his lead if they already trust him and have a good rapport. So he has seized on opportunities to create that goodwill in advance, knowing it pays off.

For example, when new documentation requirements were introduced to an engineering team, he offered to work with team members to fill in the needed information. He says the move built political capital. “It was about being a trusted partner and someone who is willing to help. So, when the time came to get new security things done, I was able to leverage that goodwill.”

8. Enlist other executives

Some CISOs may find that, either because of their position in the org chart or because of the organization’s culture, they “aren’t elevated enough to carry the umph needed to lead change” on their own, so they need to lean on the CIO or other executives, Monday says.

In such cases, CISOs should be ready to educate their executive partners on the details of the security change that needs to happen and the why behind it but then let the “We must change come from others at the top,” Monday adds.

9. Hire staff skilled in change management

Budge is emphatic about this step, saying “Always, always, always hire at least one person, if not a team, of change managers with formal change management skills.”

10. Tackle any organization-wide resistance to change

Security executive Tyson Kopczynski says CISOs have increasingly become successful change agents who are able to rally others to their visions. Just look at any organization that has successfully moved to more secure ways of authentication in recent years, he says.

“To do that, CISOs have to orchestrate across the entire organization. They start by building demand and then lead the change,” he says.

“But while a lot of CISOs are mastering this capability and this skill, the overall organization in many cases is dysfunctional when it comes to digital change. And if the overall organization doesn’t have the capacity to change, then the CISO as an agent of change is not scalable,” Kopczynski says. “There are only so many things that the CISO can lean into before hitting that proverbial wall. This is a fundamental falling down point for many organizations.”

Kopczynski, co-founder and CISO in Resident of the Professional Association of CISOs as well as the author of the post “The Perils of Poor Change Management”, says CISOs in such cases must find ways to not only guide security-related changes but also inspire the organization to embrace change in general.

“You have to build a case around the organization itself building those capabilities by working with the CTO, business leaders, product folks,” he explains. “The CISO has to say, ‘We need to build this capability and have it function across the various business lines, so we can sustain change and move faster. So the next step for a CISO to mature themselves is to say, ‘I’ve got to work upstream.’ It’s an opportunity for them to show they are true business leaders.”