Change Management for Zero Trust Initiatives
Change management isn’t any different for Zero Trust than it is for any other big initiative. But most of us aren’t very good at change management. And security and cybersecurity are not sexy. And most people want their security to be minimally invasive and as unnoticeable as possible. And most leaders get no top-line/bottom-line joy from spending money on Zero Trust initiatives. And Zero Trust doesn’t drop new features and functionality for a product at the end of a sprint. But you still need change management so that you can gain endorsement from leadership, drive urgency or aspiration in stakeholders and users, and drive long-term cultural change. Three key areas you can focus on as you get started:
Resources
There is a change management standard created to meet ISO specifications for standards creation, and several change management processes you can use to drive change.
ACMP
The Association of Change Management Professionals (ACMP) maintains a standard for change management that describes in about 70 pages how to create and drive a change management plan. Their standard shows a step for closing the change management process. However, we feel that Zero Trust and cybersecurity are ongoing efforts that will always require change management so closing the effort might never occur. They also offer a certification, so if you are looking for a change management resource this is a good way to narrow down your search.
There are also several processes for change management that you can apply and align well with the ACMP standard. As you create your strategy, determine which process, or processes you might leverage to help with driving change based on the culture of your organization. ????
Changefirst
Changefirst is a methodology that breaks change management into efforts at the organizational level and efforts that must occur locally.
Organizationally:
Locally:
Using multifactor authentication rollout as the change, here is an example of what Changefirst might look like:
Our case for change is to change authentication so that we strengthen the verification process during end-user authentication while balancing security and end-user productivity. We propose we roll out multifactor authentication (MFA) across the organization.
Changefirst has two methodologies on its website. For change management, you are interested in People-Centered Implementation (PCI). There are online assets you can purchase with templates and tools for using the methodology. There’s a short (3-minute) video that introduced the process or you can download a whitepaper from their site that provides additional explanation. To download, you must register, and they email you a link that you use to access the 40-page eBook.
Kotter-Cohen
The Kotter framework has been around for almost twenty years so there is a lot of expertise and guidance available. The framework has eight steps for leading change:
Using the MFA example, it might look like this:
The external threat to our IT environment and our data requires we change our user verification to defend against attacks from bad actors. We must change authentication so that we strengthen the verification process during end-user authentication while balancing security and end-user productivity. We propose we roll out multifactor authentication (MFA) across the organization following these steps:
Increase Urgency: Negotiated new hire orientation training and provisioning of MFA as part of the onboarding process by <date>
Build the Guiding Team: Onboard stakeholders from HR, Training, Identity Dev, IT Ops, and Ops teams to kick off.
领英推荐
Get the Right Vision: Stakeholders create or agree to the existing mission and vision for MFA.
Communicate for Buy-in: Socialize plan with sponsors, organizational leaders, and members of training, delivery, operations, and support teams.
Empower Action: Provide roadmap, architecture, constraints, and other critical information, and inform “boots on ground” teams where they must confirm and where they can stray from the plan.
Create Short-term Wins: Create and alpha test MFA capability with key stakeholders and early adopters.
Don’t Let Up: Security moment at every sprint review and sprint planning meeting.
Make it Stick: Publish refresh training forward schedule for the next two years with HR for internal training.??
On the Kotter website are all the resources you might need to be successful. There is only one framework, however, there are also a set of change principles listed as well. On the 4 Core Change Principles webpage are a link to download an eBook and a series of short videos to describe the principles. We recommend you review the videos (4 minutes each) and download the eBook. To download the eBook, you must fill out a form and they will email a link to the eBook.
Prosci ADKAR
ADKAR is the acronym for awareness, desire, knowledge, ability, and reinforcement, which are the steps in their process. Many consultancies use ADKAR as their change management process:
Using the MFA example, it might look like this:
For this initiative, we must change authentication so that we strengthen the verification process during end-user authentication while balancing security and end-user productivity. We propose we roll out multifactor authentication (MFA) across the organization. We will use the following change management process:
Prosci has a few models and processes listed on their site. This one is easy to implement and meant to drive individual change. They also have a nice primer for change management. You register and are sent a link to the actual 17-page eBook. They also have a set of six resources you can register to download that help with ADKAR. When you register for this resource, a zip file containing the six PDFs is downloaded to your device. Each file is about 3MB. ???
VitalSmarts/Crucial Learning Influencer
Influencer is a model designed to change ingrained human behavior. The other frameworks presented feel like the requisite change is in the center of the framework and the people are at the edges. This framework feels like it is centered on the human behavior that must change and the change is on the edge. The columns are broken into defining how to motivate people to change their behavior and what competence must be added using what manner. The rows describe the level of change from the individual to the herd, and then to structure.
Using the MFA example, it might look like this:
For this initiative, we are introducing multifactor authentication. We propose we roll out multifactor authentication (MFA) across the organization providing it first to influencers and then using gamification with a reward of personal perks to motivate adoption. We’ll use the following motivators to grow the abilities:
Vitalsmarts did have a model named Influencer. It is now part of the Crucial Learning set of courses (good courses) so it is a bit harder to find a lot of information online. This diagram represents the model when it was driven by Vitalsmarts.
Crucial Learning has books and courses, and a YouTube channel, but to effectively use it you need to pay for some training and invest time in formal education on change management. We recommend if you use this framework that you find a consultant with experience driving initiatives with this process.
Final Thoughts
With Zero Trust, change will be constant and forever so a goal of change management should include creating a culture of change. Most people like routine work where they gain competence in their role and focus their career on execution. Creating a culture where change is constant and is not limited to Zero Trust can help.
This interview with Mike Farabelli provides lessons learned that reinforce the steps the frameworks we presented provide structure to. It’s a short and worthwhile read.
Congratulations! You’ve eaten the elephant that is Zero Trust. Just know it is a never-ending journey.