Hardly a day goes by when cyber attacks are not in the news and this topic is even starting to regularly emerge in family and social conversations.
It’s one thing to assess cyber risk and maturity with a product like CDCAT® and increase awareness with RESILIA ™ Frontline on line awareness training, but for improvement to occur, change will need to happen. Not just technical change but cultural change; knowing that it is wrong to pick up and use that usb you find on the floor, it’s wrong to share passwords or always open that email attachment .
To create cultural change, the knowledge provided by any training or analytical tool needs to be the foundation. How to build on this foundation and make it real in an organisation is where change management as a discipline has a lot to offer.
The principles of change management will ensure organisations move from cyber awareness to cyber capability. Individuals that have change management skills will be able to:
- Understand the human side of change in your approach to cyber awareness and knowhow to help people deal more effectively with this change;
- Understand and identify the various types of change that will occur as organisations adjust to an increased cybercrime rich operating environment;
- Know how to identify, work with and communicate with stakeholders impacted by cybercrime;
- Know how to assess the impacts of change and develop effective change teams, including the ability to focus on where pockets of resistance lie; and
- Understand the process of sustaining change and how to embed a cyber change initiative as the new ‘business as usual’.
Organisations that embrace change management in a structured way can:
- Build cyber capability and be more nimble, flexible and proactive when change is needed;
- Able to meet their strategic intent and increase the probability of successful business change/transformation;
- Minimise risks (costs, delays, loss of employee engagement, reputation) associated with failed initiatives or cyber attacks;
- Protect their data! And if your Risk Committee does not think a breach comes at a cost then have a look at the sanctions that can be applied for the organisations that are non-compliant. The European General Data Protection Regulation is one example and many other countries also have legislation about to be enacted requiring stringent data protection measures to be in place, understood and maintained;
- Ensure that there is a uniform approach adopted across the organisation in the management of cyber protection initiatives;
- Assist with employee commitment and understanding of ‘why the organisation needs to improve cyber controls’; these controls are also there to protect employee personal data;
- Improve stakeholder communication at all levels to understand the need for an organisation wide approach to cyber management; and
- Create a culture of structured change management.
So your organisation and your country does need You! – the impact of cyber-attacks will need people to work with improved technology, the two have to work together. Every person has a role to play. Being resilient to cyber-attack will need a significant cultural change – from the boardroom to the basement. If change from the boardroom to the basement is to occur change management needs to be recognised as a discipline and not an optional extra. We think nothing of “patching” our software, how about “patching “our people and culture?
“ But this type of change will not occur “ - I do need to correct you on this as think of how health and safety issues are taken now as second nature. I do remember when seat belts did not exist and babies were simply put in the basinet on either the front or back seat of the car. Today we do not question safety in this area and instinctively buckle up and also ensure that our children are also secure. The same has happened with smoking, my first public service job came with the Commissioner handing me my name badge and the Deputy Commissioner presenting me with the government department branded ash tray for smoking at my desk. Yes, cultural change can happen if we want it to and all contribute.
Change managers have the advantage of access to a global approach to change (APMG Change Management certifications) and resources provided by the global Change Management Institute (CMI). The information is there, NOW is the time to use it to improve cyber capability.
To all change managers – expand your horizons; look at how your unique skills can help your organisation make that cyber cultural change. The cyber frontier awaits you, so go boldly where no change manager has gone before.
Lawrie Kirk - Consulting Services Executive, Global and BDM Australia and New Zealand at APMG International