Changing the way we look at "security" could make the difference in how successful we are.
Here's a step-by-step process CSOs and their teams can implement to integrate any type of GRC or Infrastructure Security change initiative into the organization, with each phase being comprised of individual transitional milestones organizations can use to gauge their progress. These factors can help move that cultural needle up the security maturity scale. Experience suggests, as well, that these factors fall into two phases:
The first five phases establish the groundwork for how an organization can begin defining and migrating a policy, new technology, or team structure into its operational parameters. The next four tenets for change ensure cultural adaptations within an organization can become permanent.
1. Identifying a champion (i.e., “Change Agent”).
For change of any real substance to occur, a sense of urgency must be created. This urgency might occur as a result of actions imposed upon an organization by outside forces (a ransomware attack, etc.), or it may occur as a result of a self-imposed action, such as a new mandate from a governing body, or directive from the board.
In his Forbes article, "Every Leader Must Be a Change Agent or Face Extinction," Glen Lloopis writes, "When was the last time you asked about the role that technology plays in your business?" Relying on a single point of contact, such as the CTO, says Lloopis, folks throughout the C-level team and beyond must become more aware of an organization's dependency on technology--and especially on how "Risk" is weighed in the balance between people, process and products.
The champion's role (whether out of a response to an incident or as part of the day-to-day operations), are "willing to push for improvement even when entrenched interests and processes resist," according to ZDNet's Michael Krigsman.
2. Establishing operational urgency.
Change, at least in the context of implementing new security controls and tactics throughout an operational infrastructure, is initiated by a Change Agent. "People must take action on information," writes FHL Bank Atlanta's Cathy Adams. "They must exercise vigilance to monitor and maintain systems continually." Adams adds that organizations—regardless of sector—must become better "at tracking risks and understanding how these risks integrate into the organization." Examples of a sense of urgency might be suggested when an organization’s primary competition is exceeding its growth expectations, or when something bad happens to a peer organization (or within the host company).
Change Agents are often assigned tasks after-the-fact, and often feel a greater sense of urgency. Getting the rest of the group to “come along” (so to speak) becomes the first challenge, and often requires teams to work from the inside out (rather than trying to introduce an external process or resource that may be seen as threatening).
3. Forming coalitions of support.
“Keep your friends close and your adversaries closer” may have been a phrase coined by Mario Puzo’s fictional Michael Corleone, but the axiom has become a staple of conflict resolution. In the corporate world, executives often find themselves at odds with factions within the rank and file—usually with those who are further away from the leadership ranks than are the “Front Office” folks. To get people on board with needed changes/improvements, the need to identify leaders among all levels of the organization becomes mission-critical, through which a sense of emotional commitment may be secured and unified.
Once such a coalition comprised of a mix of perspectives and roles is organized, it’s important to build the team into a group of “stakeholders,” whose critical infrastructure security interests (such as protecting the “Crown Jewels” or managing a merger and acquisition transition), are kept in the forefront of reinforcing the need for change throughout the organization.
4. Creating a mission-critical vision.
There’s a difference between being the “Idea Guy” and the Go-to Guy. In this fourth principle, a well-articulated strategy for what is needed (i.e., improving the SOC, moving open tickets faster through the process, establishing a comprehensive IR strategy, sun-setting old technology, etc.), is essential to successfully affecting change and improving an operation. In their “Security Atlas Guidebook,” the team at PwC describes five key disciplines a CSO-cum-Visionary needs to balance:
- Assess: Understand where you are and where you want to be
- Analyze: Conduct analyses that will give you actionable insight
- Strategize: Build a strategic implementation roadmap
- Align: Maintain strategy as a dynamic, continuous process
- Communicate: Improve consensus-building, messaging and reporting
5. Reinforcing effective communication protocols.
Leaders must establish a “shared strategy/outlook with a set of priorities.” As well, there were several examples given to how Oswald took further broad-based action to ensure management support, including scheduling an all-employee meeting, where he explained how the company was going to take necessary steps to improve its financial situation, and providing a forum for employee input prior to instituting any policy changes.
In their post, “Think Functionally, Act Strategically,” Caglar & Kapoor write, “Changes give functional leaders a mandate to think and operate more strategically than they did in the past.” The authors continue, “They are also being asked to focus, for the first time, on resolving function-related conflicts among different parts of the larger organization (for example, conflicts over incompatible IT systems or redundant talent initiatives).”
I was asked in a recent conversation with an IT leadership team at a midsize medical device manufacturing company, what I thought the best way to address the issue of reinforcing the need for greater accountability in keeping cross-functional teams current on security practices and “good housekeeping.” Through ongoing training sessions, as well as by simply reviewing (or establishing) a basic ISMS, CSOs and supporting teams can begin the task establishing a “shared strategy/outlook with a set of priorities.”
6. Removing obstacles that may confuse the mission.
No matter how small (or large) an organization is, there’s always a nay-sayer in the midst. Human nature, perhaps, is to immediately start out a conversation about change with, “That will never happen,” or, “It will never work.” This mentality is especially dangerous where protecting critical infrastructures is concerned. While obstacles of all kinds (logistic limitations, staffing inefficiencies, supply chain management issues, resource shortfalls, etc.), may impact overall outcomes of an organization’s drivers, obstacles involving simple human nature (the “Nay-sayer Factor”), may be removed, or at least reduced to a manageable level, by identifying and hiring change agents whose roles are to ensure the necessary changes are implemented.
From a different perspective, however, Fast Company’s Art Markman suggests in a “4 Minute Read” that when everyone is on the same page, ideas become stale: “Most people start their discussions of opinions that disagree with their own by finding reasons why that conflicting opinion is wrong.” Markman points out that by recognizing the value of colleagues (and subordinates) whose opinions may differ from your own creates “an environment that promotes free exchange,” which often results in better ideas and better solutions to address business and security challenges.
7. Identifying/tracking short-term wins.
In midsize and large organizations, oft times, small actions may be considered short-term wins, but from a sense of overall success in seeing an organization move its security initiatives forward, human nature might suggest that people—especially in a workplace—like to know where they fit into the big picture, and that what they are doing is having a direct impact on the overall success of the operation. As a result, implementing a new tool or a new policy is not only not enough of a success measurement—it often becomes a matter of confusion if taken out of context from what the organization is hoping to achieve on the “Big Picture” side of things.
To motivate a team, there’s nothing better than experiencing success—no matter how small the success may be. This principle reinforces the need to see small gains as a means of measuring long-term progress (not to be mistaken for long-term success, however).
From a security audit perspective, the folks at ISACA believe short-term wins are so important, it’s included as a COBIT Management Practice control activity:
BAI05.04: “Empower those with implementation roles by ensuring that accountabilities are assigned, providing training, and aligning organizational structures and HR processes. Identify short-term wins that can be realized and are important from a change enablement perspective.”
8. Moving from small wins to building a baseline operational policy.
Organizations looking to ramp up a security awareness effort need look no further than to such resources as the NIST 800 framework or the PCI Security Standards Council for comprehensive implementation plans. But getting to a comprehensive operational model and implementing it throughout the organization isn’t going to happen overnight. Activities that support a permanent change in the culture of an organization’s security practice may include such examples such as the regularly-scheduled employee meetings and postings, establishing strong training and “self-guided” performance improvements for those who are responsible for the processes and policies associated with the organization’s protection of critical assets.
9. Anchoring change within the corporate culture.
Activities that support a permanent change in the culture of an organization’s security practice may include such examples as the regularly-scheduled employee meetings and postings, establishing strong training and “self-guided” performance improvements for those who are responsible for the processes and policies associated with the organization’s protection of critical assets.
Conclusion. Consistent leadership in driving change for organizations looking to improve critical infrastructure security goes beyond the tools and the operational controls. The adage “It’s a balance between People Process and Products” when describing how to best implement a strong security defense may be true, but as any good leader will attest, everything starts with how the teams understand and believe in the objectives associated with protecting the business.
This article is published as part of the IDG Contributor Network. Want to Join?