Everyone I’m speaking to in security at the moment is going through some kind of an uplift, a transformation, or a major program of works (e.g., Zero Trust). As someone who’s had to kick off and lead large transformation in large bureaucratic organizations, I know exactly the challenges involved. They are mostly internal and political (I talk a LOT about the P word in this research). So this research was almost cathartic for me. I spoke to many CISOs, change managers, executive coaches, C-level executives from other disciplines (business, risk, IT), and people from various disciplines.
Are CISOs prepared for implementing the necessary large-scale change? And I definitely don’t mean from a technology perspective. I don’t think we are. We are bombarded with the amount of tactical requests, not everyone in the org loves the security team, we (security folk) generally hate the idea of politics and avoid it at all costs, AND there are a lot of detractors that come out when a change is occurring.
How do you navigate your way through large organizations to create change? In this research, I write about the 3 P’s: people, process, and politics. Remember that everything comes down to human interactions, and human interaction is inherently political. So if I can leave you with anything that came out of this research: Learn how to be political with transparency and integrity.
Forrester clients can read this research here. Some of my key takeaways:
- Work with your supporters and manage your detractors. This will require you, as a leader, to identify the key players in your organization, do the groundwork, and turn the feedback and criticisms into a solution, rather than an offence. I have a couple of handy graphics about key player types and how to work with and influence them.
- Embrace politics. Yep, easier said than done, especially when we all have such a horrible image of what “being political” means. And yet I learned from my experience and from my research that politics doesn’t have to be a dirty word. Many leaders I spoke to said that it is simply an opportunity to understand and engage. In this research, I give a couple of nuggets for how to be political with integrity.
- Commit to being a leader of change. That’s job No. 1, and being a technician is a distant second. This means that there are skills that you need to build and amplify, such as public speaking, negotiation, and communication skills. It also means honing in on the fact that you’re a people leader and that you need to reach everyone from the CEO to your SOC analysts.
- Manage your mental health to avoid burnout. All leaders experience stress, which they need to manage. I will be doing a lot more research on this topic this coming year. In this research, I touch the surface but wanted to note it as a hugely important part of managing change.
- Recruit change management skills. It amazes me how many security programs STILL happen without change managers, and then we wonder why projects and programs weren’t successful. This is not an optional skill, nor is it one that most of us have.
Finally, I’ll leave you with my favorite anonymous quote from this research: “For me, politics is an opportunity. If you understand what people are actually saying as part of raising their comments, and you take that as an opportunity to turn their concern into a solution, it becomes a different conversation.”