2nd February 2021
To train and improve the security awareness of employees for the long term, five steps should be followed to build and maintain a cyber security culture. During this blog series, we will introduce you to these five steps, including selected tactics that will lead to success. Part fice deals with the topic of change management strategy as a success factor.
Every company must manage changes from time to time. For example, this can be in dealing with new software, new access systems or a new security awareness project. An aspect common to all projects is that the change must be accepted and implemented by the employees. A change management strategy for the planning and implementation of the project can help achieve this.
In this article we show you what a change management strategy is, why it makes sense, how to develop a change management strategy and how it helps improve security awareness in your company.
A change management strategy helps track and successfully implement the change process inherent in a new project. The strategy provides the basis for decisions and describes the type of change and the groups which are affected. Afterwards, it helps make the change reality.
For a change to be understood, accepted, and implemented, you need to ask yourself a few questions to avoid failure to implement or only partial implementation of the change. You must understand ...
This process helps to establish the change consistently and successfully in a company.
To prevent rejection or resistance by employees of a desired change, strategies and measures are required to accept and implement the change. It is always difficult to accept something new in the beginning. There are various ways to make this easier and faster. A change management strategy should be developed so that no target group and project details are forgotten.
The advantages of developing a change management strategy are as follows:
The following points must be considered when developing the change management strategy:
Any change may encounter resistance. It is therefore important to consider beforehand the possible nature of such resistance and how you can prevent or solve it in advance.
Depending on the problem or target group, there may be different types of resistance and solutions. The same problem can also require different approaches: for example, one department may be more affected by the change than another and may therefore be more resistant to the change.
Create a risk map in advance for the instances of resistance and record the risks according to general risks and specific risk factors. Enter the possible target groups here. This gives you an overview of what resistance you can expect in advance.
The Open Mind Academy (1) lists 5 factors in its article "How to convince people to change their behavior" that can prevent change:
Therefore, pay attention to the points mentioned above and how to avoid or resolve them.
You may be wondering how a change management strategy might improve security awareness in your company? Well, security awareness and corresponding measures can be smaller or larger projects with different impacts on employees. For secure behavior to be learned, implemented, and integrated into daily activities, changes in employee behavior are needed.
Therefore, it makes sense to plan a security awareness strategy, campaign, or individual measures according to the principles of the change management strategy. In this way, you can determine possible challenges and resistances in advance, define whether different target groups need to be trained differently, and determine who should help as change ambassadors in the company to drive and exemplify the change.
Let's look at the procedure for implementing a change management strategy using the example of planning a security awareness campaign.
A change management strategy is basically a project plan, but with a focus on changing people's behavior.
The planning of such a campaign and the resulting change management strategy are carried out by the security team. Preferably, a role for a person or a team responsible for security awareness already exists or has been defined for it. In this case, this person or team also acts as a change manager or change management team that leads, drives, and reviews the project. The team also ideally receives help for implementation from other departments, where the security officers help to spread the word and support the implementation and change process.
In the project team, you should ask yourself the following questions beforehand:
In addition, change management takes place at three levels in a company, all of which should be considered:
Each level requires different measures and procedures. Some of the questions listed above can be answered, for example, with our Security Awareness Radar®. The employee survey is sent to all employee groups and departments. You can see which departments and employee segments have a higher need for training on which topics. It also shows at which level the measures should be applied.
When developing a change management strategy and the associated project, it is important to make it as simple and easy to understand as possible. If necessary, the individual steps of the change should be subdivided into smaller ones so that they can be implemented more easily.
For this reason, it is important to clearly define the desired change and to use simple wording. Depending on the target group and scope, all employee segments should also be considered. Listen to concerns, fears, and wishes as well and try to pick them up in advance. If employees feel they are taken seriously, they are also more willing to accept change. Avoid frightening and threatening communication.
Pay attention also to the company culture. For example, if the company is driven by clear hierarchies, you should first convince the company management about security awareness measures and then let the management be a role model and set the measures so that they can be implemented and accepted more easily by the employees.
Also highlight any advantages of the strategy or awareness project. Package possible negative aspects positively. It is easier to identify with positive changes and start building them into daily activities than negative ones.
An article by Initio Organizational Consulting (2) lists 14 success factors for successful change management. In our view, the following specific points should be emphasized and supplemented.
Communication should be simple and understandable and the desired change in behavior should be communicated clearly. The importance of this is also emphasized in McKinsey's «Influence Model» (3). The aim of the measures should be clear and achievable in small steps. ENISA (4) also recommends paying attention to a positive language and formulations when communicating. Communicate openly about the goals, status, achievements, and challenges of the project and the change process. Clear and open communication helps employees to better understand, accept, and implement change and related projects.
Another important success factor for changing behavior is the role model function of the management level and other employees. This is also the conclusion of the ENISA report (4) and McKinsey (3), who describe this aspect in their “Influence Model”. It is easier for people to adapt to new behavior if others, especially those you look up to, lead by example.
Listen to criticisms and concerns and take them seriously. They can give rise to new perspectives and ideas that have not been considered before. You should therefore also work with other stakeholder groups, departments, and security officers. They are closer to the employees concerned and can pass on their concerns, fears, and criticisms and may already offer solutions if required.
The Open Mind Academy (1) recommends also that you do not put pressure on people to make the change happen. Pressure is likely to generate resistance and rejection and is therefore counterproductive. It also helps to implement change in small steps instead of one big step. Change is more easily accepted if the distance is smaller.
The second part of our blog post deals with the topic of how change management can be applied in relation to security awareness and security strategy.
(1) Open Mind Academy: https://www.open-mind-academy.ch/wie-man-menschen-ueberzeugt-ihr-verhalten-zu-aendern/
(2) Initio Organisationsberatung: Die 14 wichtigsten Change Management Erfolgsfaktoren. https://organisationsberatung.net/change-management-erfolgsfaktoren/
(3) McKinsey: The four building blocks of change. https://www.mckinsey.com/business-functions/organization/our-insights/the-four-building-blocks--of-change
(4) ENISA Report: Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity. https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity
Inspired by the following blog posts