In larger organizations, a day doesn’t go by without some organizational change, be it mergers and acquisitions, implementing the latest and greatest technology tools, engaging with new third-party vendors, expanding to new geographical locations. All this change places a heavy burden on IT staff and creates a whole slew of security challenges that must be met to avoid costly data breaches and other security incidents, making change management an essential part of any cybersecurity strategy.
What Is Change Management in Cyber Security?
Described in simple terms, change management is said to be a systematic approach for dealing with change. “The objective of change management is to enable beneficial changes to be made with minimum disruption to services,” explain the people behind the Unified Compliance Framework.
The roots of change management can be traced back to the 1960s and people like Everett Rogers, who believed that change must be understood in the context of time, communication channels, and its impact on all affected participants.
Change management takes into consideration the impact of a change on processes, systems, and employees within the organization, and it offers a clear path to follow to implement strategies for effecting change, controlling change, and helping people adapt to change, among other things.
Today, there are several change management models that organizations of all sizes can implement to better deal with change, and they include:
- ADKAR: A goal-oriented change management model that guides individual and organizational change. It was created by Prosci founder Jeff Hiatt, and it stands for awareness, desire, knowledge, ability and reinforcement.
- Bridges’ Transition Model: Created by William Bridges and first published in his 1991 book “Managing Transitions,” the Transition Model highlights three stages of transition that people go through when they experience change: Ending, Losing, and Letting Go; The Neutral Zone; The New Beginning.
- John Kotter’s 8-Step Process for Leading Change: This 8-step change management model was invented by Dr. John P. Kotter, the Konosuke Matsushita Professor of Leadership, Emeritus, at the Harvard Business School, and it has helped transform countless organizations.
- Lewin’s Change Management Model: Also referred to as the Unfreeze-Change-Freeze (or Refreeze) model, this change management model proposes 3 stages to manage change more effectively.
- McKinsey 7S Framework: Developed by business consultants Robert H. Waterman, Jr. and Tom Peters in the 1980s, the elements of this change management model include structure, strategy, systems, skills, style, staff, and shared values.
In the context of IT, change management is an IT service management discipline, and it’s commonly used to promptly handle all changes to IT infrastructure and minimize their impact on daily operations. Changes to IT infrastructure are either reactive (responses to problems and reactions to externally imposed requirements) or proactive (business initiatives). By providing a contrete set of standardized methods, processes, and procedures, change management minimizes the potential detrimental impact of changes and ensures their proper handling.
Making Security Part of Change Management Processes
Enterprise IT infrastructures are in a constant state of flux as workloads move to the cloud, patches are made available, old hardware is made obsolete, and new technologies and solutions are implemented.
The problem is that all this change can quickly turn into chaos and create many opportunities for cybercriminals to march in undetected and leave with gigabytes of private information. Perhaps the best example of just how severe the consequences of lacking change management processes can be is the Equifax breach, one of the worst data breaches in history because it resulted in the exposure of the personal data of 148 million individuals in the U.S., or 56 percent of all American adults.
The breach was caused by the failure to patch a two-month-old bug in Apache Struts, an open-source web application framework for developing Java EE web applications. “In a perfect world, once a security patch has been made available, it will get pushed into production immediately to prevent adversaries from taking advantage of the vulnerability. In the real-world, large organizations do not have the luxury operate this quickly,” writes Druce MacFarlane, the Director of Security Products with Gigamon.
If Equifax had made security part of its change management process, the consumer reporting agency would have been able to patch much sooner and prevent the disaster that happened. However, closing the gap between the patching introduction and the eventual deployment is just one of many reasons that make change management an important part of every cybersecurity strategy.
Change management in cyber security is “absolutely necessary. It promotes standards, process improvement, reduces complexity and risk and provides sanity in complex environments,” says David Sherry. An investment in change management can greatly improve an organization’s security posture, allowing it to grow and dynamically react to changing market demands.
It’s impossible for organizations to survive and thrive without change. The problem is that every change, such as the provisioning of new hardware or software, introduces risk in the form of possible attack surface. Change management enables organizations to eliminate this risk, allowing them to implement beneficial changes with minimum disruption to services. For this reason, change management should be an integral part of every cybersecurity strategy.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond