When it comes to cybersecurity, many businesses focus solely on implementing the latest and greatest tools to protect their assets and data. However, just like with personal health, it's not enough to only use the best products; you also need to establish good habits and practices to ensure long-term success.
Put another way: buying the top-of-the-line jetted tub and electric toothbrush won’t keep you clean. You need to regularly shower, brush your teeth, cut your hair, and more to maintain good personal hygiene. Your company’s cyber hygiene? No different.
That's where change management comes in. By establishing healthy habits and behaviors across the entire organization, companies can ensure that their cybersecurity initiatives are effective for the long haul.
Change management is the process of preparing, supporting, and helping individuals, teams, and organizations make organizational changes successfully. Organizations that invest in change management are 6x more likely to meet or exceed their project objectives than organizations that don’t. This is because change management ensures that employees are engaged and committed to the changes, which leads to better outcomes. Additionally, according to a study by IBM, organizations that invest in change management see an average return on investment of $1.50 for every dollar spent on those initiatives.
In the context of cybersecurity, change management ensures that the implementation of cybersecurity initiatives is successful. This is important because cybersecurity initiatives require a significant shift in the way organizations operate, which can be challenging for employees to adapt to. So how can an organization get everyone aligned for security and success?
1. Change management minimizes resistance to change
Change means disruption, and employees can be resistant to it, especially if they feel that their jobs are at risk or that the change will make their jobs more challenging. Resistance can hinder the implementation of cybersecurity initiatives, leaving the organization vulnerable to cyberattacks. If you’ve ever started a new workout regimen and felt so sore the first week that you wanted to give up because the effort didn’t seem worth the frustration, you understand this feeling.
Change management professionals act like personal trainers, supplying the necessary support and training to get the team through the most challenging terrain and help them see the finish line ahead. Providing that vision and support reduces that initial resistance and helps people adapt to—and adopt—the changes.
2. Change management ensures effective implementation
Investing in cybersecurity tools won't necessarily protect a company from cyber threats. How many tools has your team purchased with the fantasy that THIS one would be the one to solve all your project management problems? How many do you use to full effect?
The reason so many change initiatives fail, according to 86% of executives, is a lack of collaboration and communication. Change just gets dropped on people and abandoned when frustration outweighs benefit. But with the right change management practices, organizations can start with a strategy—a well-communicated plan that will ensure cybersecurity measures are implemented effectively with long-lasting results, the same way having a tailored fitness regimen with specific and measurable goals is more effective for your health than just buying a Peloton.
3. Change management helps maintain cybersecurity posture
Finally, just like how we need to keep up good hygiene habits to prevent illness and disease, companies need to maintain their cybersecurity posture to prevent cyberattacks. Cyber threats are constantly evolving, and organizations must continuously update their cybersecurity measures and readiness to stay ahead of cybercriminals.
Change management helps organizations implement these updates smoothly and effectively. This is because change management practices ensure that employees are aware of the changes and are trained to use the new cybersecurity measures. As a result, the organization's cybersecurity posture stays strong, and it is better equipped to deal with new and emerging cyber threats.
As important as it is to make a case for the ROI of change management investments, it's also important to understand the consequences of not having a healthy organization during cybersecurity efforts. A prime example of this is the 2013 Target data breach, when cybercriminals stole over 40 million Target customers’ credit and debit card information.
The breach was caused by an employee of Target's third-party vendor who had access to Target's network. Cybercriminals stole the employee's access credentials and used them to gain access to Target's network. Once inside the network, the cybercriminals were able to install malware on Target's point-of-sale systems, which allowed them to steal that customer credit and debit card information.
One of the main reasons the Target breach occurred was a lack of change management. Target's security team was aware of the potential risks associated with third-party vendors but did not implement adequate security controls to prevent an attack. Additionally, Target employees were not trained on how to notice and report suspicious activity, which allowed the cybercriminals to remain undetected for several weeks.
The consequences of the Target breach were severe. The company faced lawsuits and regulatory fines that amounted to over $200 million. Additionally, the company's reputation was severely damaged, and customers lost trust in the company. As a result, Target's stock price fell by 40%, and the CEO and CIO of the company were forced to resign.
The Target breach is a cautionary tale that highlights the importance of change management during cybersecurity initiatives. Had Target invested in change management practices, the breach may have been prevented, or at least the consequences could have been minimized. Best practices would have ensured that employees were trained to identify and report suspicious activity, and security controls would have been implemented to prevent unauthorized access to the company's network.
It all comes down to this: Just as good personal hygiene and exercise habits are crucial for our health, change management is crucial for an org’s cybersecurity posture. By establishing healthy behaviors and practices around change initiatives, companies can ensure that their cybersecurity measures are effective long-term.
The first step to cybersecurity change readiness? Getting a checkup. To figure out exactly where your org stands when it comes to your cyber hygiene - and get everyone walking in the same direction - get started by learning more about our Cybersecurity Studio services.