In an agile world where change is almost continuous, driving cyber security change and transformation is critical. True transformation takes time, but it’s not as difficult as you think, with the right approach.
Maintaining the status quo is no longer acceptable. Organizations must transform how they approach cyber security. However, one of the biggest challenges cyber security professionals face is that often Executive teams don’t listen, or don’t sign off the necessary budget.
Some of the reasons for the lack of Executive, or Board support, are that there is either no clear plan or strategy, or a plan has not been well communicated, or a request for additional budget is made without a strong business case or credibility to deliver.
At dig8ital, with our global experience, we use the following three simple steps to help our customers set their organizations on a clear path for cyber security change and transformation, while securing the much-needed Executive and Board support.
1. DEVELOP A CLEAR PLAN
In order to develop a clear plan, you must first understand where the organization is going and why they need to transform in the first place.
Remember, cyber security transformation should support changes in the business and enable the business, for example, by introducing new technologies, rather than by saying no to new ideas. Once you understand the drivers behind the need to change (e.g. digitization), then you can create a plan to transform the cyber security approach to align with the change in the business and support it.
Never go to the Executive without a clear plan. You must be able to articulately outline the rationale for why cyber security transformation is required; the business benefits, including how it will enable the business; and your strategy for how you will achieve this.
Central to the success of this step is to engage with the Executive or Board by being crystal clear about what needs to happen and why. Do not make this about asking for money or extra budget – instead you need to first build the case for cyber security transformation. The only thing the Execs should be required to do is support the plan and communicate the cyber security strategy to their teams.
Once you have agreement on the transformation – and remember, the important thing here is that you’re not asking for a penny (you can figure that out later) – then the only thing you have to do is deliver using already allocated budget.
2. COMMUNICATE, COMMUNICATE, COMMUNICATE
Next, work on a communication strategy to share with the team, this should be concise, three to four pages is ideal. Again, it should clearly outline how the transformation will support the organizational strategy and enable the business.
Here are a few communication approaches that will help you advance your strategy and effectively reach your employees.
- Keep the message simple, but deep in meaning: strategy-specific messages linked to your purpose become tools to help employees connect what they do day-to-day and their behaviors with the aspiration of the organization.
- Keep it real: minimize ‘corporate speak’. Authentic messages will help your employees see the challenges and opportunities and understand the direction in which you’re trying to take the organization.
- Tell a story: facts and figures won’t be remembered. Stories and experiences will.
- Reinforce messages: it isn’t enough to explain your strategy or plan once. You’ll need to repeat the message. Use reinforcing messages to increase understanding and instill belief and consider using a variety of channels and experiences.
Finally, throughout the key milestones of your plan, make sure you maintain open communication with the Executive team and keep them informed of progress – so there are no surprises. Remember, you don’t need anything from them, they just need to show support for the plan and reinforce the message to their teams.
3. DELIVER YOUR CYBER SECURITY TRANSFORMATION PLAN
When it comes to delivering on the plan, you’ll hear noise, that’s almost inevitable. For example ‘it’s too much work!’ or ‘I don’t have time for this!’. But this noise is important, it’s an indication that you’re on the right track – because when real change happens, it’s uncomfortable for people.
Be realistic. Once the decision to transform has been made, execution of the plan is a process – expect that it will take you 18-36 months. Here’s an example timeline:
- Phase zero: 3-6 months – preparation, i.e. understanding the business and challenges
- Phase one: 6-12 months – mobilize, get your hands dirty
- Phase two: 12-18 months – requires incredible discipline, a tough timeframe
- Phase three: 18-36 months – allow for incremental evolution
You also need to realize that in-house teams often don’t have the skills and experience required. So you need to make sure you bring strong partners on board; cyber security professionals who have done this before and have specialist expertise in cyber resilience and change and transformation.
Another reason to choose an external partner is that they can do things that you can’t – because they work differently and can set different rules for the playing field based on their expertise.
Then you need to find friends within the organization so you have an army behind you to support the change – not just the security folks. Talk to people across the organization and ask ‘Hey can you help us? Let’s do this.’
“The real competitive advantage in any business is one word only, which is PEOPLE.”
— Kamil Toume, Writer and Thought Leader
Cyber security change and transformation is possible. If you keep your approach simple and follow these three steps, you’ll find yourself in a much stronger position to enable and deliver change and transformation, based on a clear and well-communicated cyber security strategy.