Know Your Current Situation
An unrealistic vision is the prime way to tank any change initiative. No different than having an annual physical, it is important for businesses to do ongoing assessments of their technology and security. Without that frame of reference, you have no way of knowing what steps should be taken first or what is the most important.
In our security example, our assessments tell us that we use Office 365 and it supports Multi-Factor authentication. We also know phishing attacks generally are on the rise and we have suffered one known loss of credentials that put our bank accounts, customer relationships and corporate data at risk. It also cost 20 hours of IT time to recover from that breach. As a company that relies heavily on our reputation to drive sales, the possibility of jeopardizing our customers’ trust would be devastating.
Vision of Change
You cannot achieve something unless you have a vision of success. One of the keys to attain approval and project success for any transformational change is to define success in terms that all constituents can understand. In broad terms, there are usually three distinct constituent groups: staff, mid management and executives. Let’s look at how we could frame success for our project for these three groups:
Staff Goals:
- Reduce SPAM and phishing emails that users are exposed to by 95%
- Educate 100% of staff to recognize potential phishing emails and how to handle them – both professionally and personally
Mid-Management Goals:
- Reduce IT breach expenses by 95%
- Increase staff productivity by 3% by eliminating SPAM emails and breach downtime
Executive Goals:
- Leverage this project to achieve an organizational goal of reducing expenses by 10%
- Reduce risk of reputational damage
Build a plan that supports change
Once you have your vision and goals defined, you need to create a plan that will allow you to meet expectations. Your plan must contain the obvious issues of planning the technology implementation and training of users. The less obvious, but much more critical, item to plan for is defining how to measure success during and after the project is complete. You can’t claim success without having some facts to back it up. In our project, we consider measuring the following:
- Number of SPAM/phishing emails blocked by Advanced Threat Protection software
- Money spent on IT breach recovery expenses
- Staff downtime due to breach downtime multiplied by average staff salary
- Number of emails staff identify/report as possible phishing campaigns
- Number of staff that pass phishing test email campaigns
These measures will help us promote the change as it is happening and allows us to show executive management that we did, in fact, reduce expenses.
Drive Change with Data and Communication
Any change must be perceived as achievable and something that will drive a positive outcome for the end user. People can deal with change when they see value in it for them. From a personal perspective, losing 10 pounds sounds tough, but losing 1 pound every 2 weeks for 20 weeks seems much more likely to happen. If you can make it fun, the fear and pain of change can be replaced. So, consider the following for your security project:
- Give the project a name and promote it around the company
- Have key staff/managers within the company be cheerleaders for the project
- Make sure the training for the new security procedures is relevant and timely to staff
- Create a contest for staff on recognizing/reporting phishing emails.
- Recognize staff publicly for passing the test phishing campaigns
The project that we are talking about is not long in nature, but some can be. When taking on projects that span several weeks or months, it is great to communicate weekly on the progress. This can be in the form of a newsletter, manager meetings or other forms of communication that fit the organization. Generally, the more you communicate pertinent information and progress the better. Each of these communications should reflect the progress of attaining the goals, a success story of some kind, and where you are within the project timeline. Remember, everyone needs to feel part of the victory of completing the goal.
