In July, we acknowledged the challenges we found that security leaders were facing in navigating change within the industry:
• Static or declining budgets
• Lack of program standardization due to a variety of influences
• No common operating picture due to lack of technology standards and budget
• Lack of strategic value articulation at the top levels of the organization
We also pointed out that each one of these challenges reinforce each other. Without value articulation, budgets can be difficult. Without a common operating picture that captures information at its source and aggregates it so that analytics can be deployed over time, metrics are difficult. Without metrics, meaningful and comprehensive value cannot be quantified. Program standardization helps reinforce budget optimization and fiscal discipline, not to mention data capture and aggregation.
The bottom line: If you want to cut costs and increase value, something has to change. And that change impacts multiple people, processes and technology platforms within the organization.
More than ever, executives realize that one of the core competencies needed in their leaders is the ability to create a change culture. A change culture is self-correcting. The stakeholders (employees) are taught and empowered to recognize elements of their roles or processes that are inefficient or diluting value. Managers are provided tools by which they can receive input and measure the degree of criticality of the data. To do this, they are taught to organize teams to process the input. Author John Kotter calls these teams "guiding coalitions." They help identify the sense of urgency as well as test, articulate and manage the process of change. There are many thought leaders, books, and consulting organizations focused on this.
For example, in the Security Executive Council’s Next Generation Security Leader (NGSL) program, the faculty is composed of CSO’s who are currently going through or have gone through the change process for transforming their role from a purely preventative function to a recognized leader in helping to create a highly resilient and adaptable organization; an organization that optimizes their people, process and technology while driving innovative programs that create organizational value.
Dave Komendat, the CSO of The Boeing Company, is a frequent guest speaker at the NGSL forums. He tells a story of leading change by asking his people to be vigilant in looking for areas of collaboration and optimization that support the mission of the company. In doing this, his people are also asked to create supporting metrics that launch a sense of urgency to support a change, as well as measure the impact of a new/existing process or tool. (Example: technology solution).
As I sit in on presentations by technology vendors - who are beginning to see the market opportunity around budget/cost optimization, IT provisioning consolidation, information consolidation, identity consolidation, etc. - and then speak with security leaders, I realize that the biggest obstacle to their end goals is not technology, but cross functional leaders managing change.
The advice from the NGSL faculty seems to align with best practices around change. For example, let’s look at Kotter’s 8-Step Process for Leading Change:
Step 1) Establishing a sense of urgency: Help others see the need for change and they will be convinced of the importance of acting immediately.
Step 2) Creating the guiding coalition: Assemble a group with enough power to lead the change effort, and encourage the group to work as a team.
Step 3) Developing a Change Vision: Create a vision to help direct the change effort, and develop strategies for achieving that vision.
Step 4) Communicating the Vision for Buy-in: Make sure as many as possible understand and accept the vision and the strategy.
Step 5) Empowering Broad-based Action: Remove obstacles to change, change systems or structures that seriously undermine the vision, and encourage risk-taking and nontraditional ideas, activities, and actions.