Information security professionals not only have to deal with change, more often than not they represent change. It might be changing the way a company manages access to its systems, works with third-parties or anything else.
To be effective with the change management process, security professionals should work with the business, demonstrating the value of security.
John Kotter in his book Our Iceberg is Melting tells a story about a penguin colony, which demonstrates basic principles of successful change management:
- Establish a sense of urgency
- Create a guiding coalition
- Develop a change vision
- Communicate the vision for buy-in
- Empower broad-based action
- Generate short-term wins
- Never let up
- Anchor new approaches into the culture
A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.
The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.
I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.
I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.
I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.
As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.
I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.
Image courtesy ddpavumba / FreeDigitalPhotos.net