Going the Right Way about Cybersecurity Transformation
Cybersecurity transformation cannot be seen as a straightforward change
This interesting piece in the Harvard Business Review should be a must-read for all transformational CISOs (“The Most Successful Approaches to Leading Organizational Change” – Deborah Rowland, Michael Thorley, and Nicole Brauckmann – 20 April 2023)
Its focus on the true dynamics of change, and the fact that change leaders focus too much on the “what” of change and not the “how”, bring out obvious parallels with situations we are seeing all too often in the field around cybersecurity transformation.
Irrespective of their original level of cyber maturity, most organisations have the tendency to treat cybersecurity transformation as a controllable, straightforward type of change, warranting directive approaches.
In keeping with the purely technical and operational focus that has been plaguing cybersecurity approaches for decades, transformation is often architected around projects and the deployment of tools. Stakehokders are broadly told what to do and are expected to follow rules; if and when they don’t, this is pinned down to lack of “training” or “awareness”; two other projects and low hanging fruits many CISOs are keen to regard as the alpha and omega of cybersecurity.
This culture of “blaming the user” is regressive, and in the end, all this is rarely transformative in itself: Projects are vulnerable to adverse prioritisation and are often re-shaped as business priorities evolve. More often than not, they do not deliver on their primary objectives in a way that would match initial expectations.
Engineering true dynamics of change around cybersecurity has to start with two essential steps:
First of all, the proper examination of past failed approaches or initiatives in that space.
Although cybersecurity has been making significant gains in visibility at top level over the past few years, it did not appear on the board’s agenda out of thin air and has been evolving for over two decades. Examining without complacency what might have gone wrong in the past and confronting the true roadblocks that would have prevented change to stick, is a fundamental pre-requisite.
This is likely to lead cybersecurity transformation leaders towards cultural and governance issues, as well as possible under investments.
Often, the latter (under investments) is simply a symptom of the former (cultural and governance issues) and is easily illustrated by situations where money – which was previously denied – appears out of nowhere at the first sight of an incident, a near-miss, a regulatory visit or simply a bad audit report.
Confronting those types of cognitive biases – or at least acknowledging them – is essential in understanding the dynamics of change around cybersecurity.
This is where many training and awareness programs go wrong: They frame the argument as a rational argument – something that has to be explained or taught – instead of focusing on the deeper cultural issues at the heart of the matter.
This is taking us to our second essential step: The need to acknowledge cybersecurity as a cross-functional discipline and to build trust with all stakeholders.
Nothing lasting can happen in that space without listening first to all the parties that have a role to play in protecting the business from cyber threats, understanding their constraints, their fears, their priorities, and where they might see conflicts around the objectives of the cybersecurity transformation programme.
There cannot be any more fundamental aspect in engineering true dynamics of change around cyber security.
Imposing new measures or practices onto stakeholders without prior engagement and a true exchange of views simply creates friction, and over time, rejection or cynicism in the face of endless rules. Overall, it breeds frustration and incomprehension around what cybersecurity is about.
Going back to the language of the authors in our starting article, the combination of “emergent” and “masterful” change driven top-down by senior execs is likely to be the best blend for cybersecurity transformation (“creating the conditions for change” and “trusting people to deliver”), as is often the case for any type of complex change.
That’s the main point: Cybersecurity transformation cannot be seen as a straightforward change; cybersecurity transformation is complex and transversal and needs to be treated as such in all its dimensions.