Beyond Buy-In: True Change Is Only Achieved Through Accountability

February 12, 2021 CyberArk Blog Team

Change management

If there is one concept that has dominated the tech world over the past few years, it’s … disruption. It seems the entire industry has been driven by a mission to shake up everything indiscriminately and render anything more than a few years old obsolete. And this has led to a lot of good and even more dramatic change. But it’s also led to a lot of uncertainty – some of which has to do with the word disruption itself.

The idea of tech disruption really started with Harvard Business School Professor Clayton Christensen and his 1997 book The Innovator’s Dilemma. However, what Christensen was really describing wasn’t so much disruption as it was replacement or displacement – smaller companies using technology to usurp the dominant powers of old industry titans. Yet the idea of “disruption” took hold, fueling a general wariness about any new technological process or protocol. Organizations began struggling with people who saw these “new ways” as adding more hurdles to their everyday routine – making it harder for them to do their jobs. Besides, isn’t security someone else’s responsibility anyway?

In our first conversation with banking risk and IT security leader, Gerry Owens, now CEO of GOTAB IT RISK inc., we explored how truly effective change must be driven from the top. But from there, how do you implement acceptance and accountability across all levels of the business? We continued our discussion to find out. 

Gerry Owens on Transformation

Transformation, Not Disruption

Owens has firsthand knowledge of the challenges facing the implementation of technological change in highly regulated industries. For him, there’s only one way for operational change to take hold, grow and thrive – and it’s not through “buy-in.” It’s through actual understanding. It is holistic transformation vs. outright disruption or displacement, as it were.

When it comes to cybersecurity implementations, everyone needs to be seen as a stakeholder and communicated accordingly. “You have to have a transparent conversation,” Owens says. “You have to say, ‘Number one, we are vulnerable, and we’re exposed. Number two, you are responsible for that exposure as much as anybody in this organization’.” For example, when communicating with development teams, he likens applications with hardcoded privileged credentials to “hiding your keys under the doormat.” This type of conversation helps change the developers’ perspective as they gain a new appreciation for how this practice exposes the firm.

Successful cybersecurity programs that prioritize compliance and accountability require common objectives among key stakeholders.  Owens suggests forming a group with shared but different responsibilities to drive this sense of shared accountability – bringing together a CISO, a CTO, even representatives from the technology vendor and integrator so that, as he puts it, “everybody goes to bed at night equally concerned about the goals that need to be achieved.”

Equally important, he notes, is working closely with business and IT process owners to understand current workflows and to embed their expertise into the design of new controls. By asking questions like, “Who really needs elevated privileges to access what systems, why are they required, and at what stages of this process?” you may uncover opportunities to not only improve security but also streamline tasks.

For example, says Owens, “When you sit down and have a serious discussion, holding the CTO and people manager accountable for the access, you may find that 2,000 sysadmins who require far-reaching access becomes 900. And you’ve already reduced risk within that organization.”

Stages of the initiative can then be prioritized and implemented more efficiently, driving quick and measurable “wins” that help build confidence, support, and momentum for the next implementation wave.

Team Players

So how does this 360-degree accountability take hold? Owens explains that while there must be a certain sense of “this is how we do things now” rigidity to quell naysayers, true transformation requires a collective effort, iteration, and time. Here are some ways it can start:

  • Coach, don’t demand. Owens likens change management to coaching a team – you work with your players until mapped out plays become second nature, rather than benching those unable to execute immediately. Teams need to understand what they are doing, why they are doing it and the expected outcome – without these key ingredients, you can’t expect to achieve your goals. Remember that people are always impacted by change: never underestimate the significance of the disruption in their environment, and always explain the “why” – the true purpose behind the plays.
  • Lead with empathy and make it personal. For large-scale initiatives, gaining support from critical user groups like IT admins can be challenging as their daily lives will be most impacted. Show empathy but also challenge perceptions by demonstrating how new practices can actually boost efficiency. Emphasizing nonrepudiation also goes a long way in driving support, Owens explains. “Stronger security controls not only protect our organization, they also protect individual users who can be targeted by attackers based on role or perceived levels of privileged access.”
  • Inspire passion and celebrate successes. “Passion is contagious,” Owens says. “If you have passion for what you’re doing, you will spread it to others working around you – from your leadership team to your change champions to your project teams.” Extending that passion and continuously celebrating successes will make everyone feel part of the movement forward. It’s important all stakeholders feel a sense of pride – that ‘they did this’, as opposed to ‘this was done to them.’
  • Communicate often. Owens knows firsthand that it can be difficult for security professionals to successfully “market” what they do. But during times of great organizational change, trumpeting milestones – and communicating challenges – is essential, because it gives security leaders an opportunity to build awareness and trust through transparency and help everyone address and avoid roadblocks. Large-scale programs often surface and remediate unrelated process or security issues – be sure to call those out. Organizations may consider sending out monthly newsletters with program updates or other similar means of consistent communication to keep everyone looped in. At the end of the day, Owens says, “It’s important the organization understands the positive business impact of the initiative – and the collective effort that’s behind the transformation.”
  • Demonstrate leadership. Every change journey will face differing opinions, pushback, and even open defiance. In these scenarios, you’ll have to demonstrate strong, decisive leadership and be ready to make tough calls. Says Owens, “I’ve had a few conversations with executives who have said, ‘That sounds like the right thing to do, but sometimes we don’t get the support from our senior leaders to invoke tough actions.’ This is typically a sign that the program leadership has not been empowered, either because the initiative itself has not received the appropriate amount of recognition and prioritization across the firm, or the program leaders do not have the confidence to assertively escalate issues.”
  • Align your business strategy to risk. Security initiatives should be aligned to the operational risk oversight of your organization. This function should be able to communicate current and emerging risks your initiative aims to address, and how it will achieve defined risk reduction metrics. However, do not “oversell the risk card,” Owens cautions, as this could lead to false expectations and set your program up for failure. “It is best to deliver fact-based risk insights (industry experiences that relate to your existing business processes) as opposed to fear-based prophecy (using generic terms that suggest the firm will suffer cataclysmic failures if your program is not implemented).” That said, helping businesses understand the inherent risk associated with their processes is necessary, and partnering with other control functions in your organization such as HR, legal and compliance teams can help emphasize the importance of the initiative in driving down organizational risk.

According to Owens, what it boils down to is that companies have gotten so used to terms like “disruption” and “buy-in” that they don’t see how ill-fitting they’ve become. When a “disruptor” has to go level by level in a company and ask for “buy-in,” it makes one side seem like they’re bulldozing through established workflows regardless of their effectiveness, and it gives the other the illusion that they have the option to bow out. That leads to stagnation, inefficiency and confusion. Instead, companies need to preach that shared effort and shared accountability don’t just lead to change for change’s sake.

It leads to evolution.

Previous Article
Three Best Practices to Get Privileged Remote Access Right for the New Normal Workforce
Three Best Practices to Get Privileged Remote Access Right for the New Normal Workforce

While I haven’t seen many of my co-workers in person in almost a year, we’ve found new, collaborative ways ...

Next Article
Get Back to the Basics with Your Company’s Cybersecurity Practices
Get Back to the Basics with Your Company’s Cybersecurity Practices

Basic hygiene best practices go beyond hand washing – even if you’re doing lots of that these days. The sam...