Skip to content

Illustration by iStock; Security Management

Empowering Cybersecurity with Effective Change Management: Lessons Learned at the CIA

By William MacMillan
1 September 2025

Focus on Change Management

Organizational change management is inherently anxiety provoking. Focus that change management effort on cybersecurity and you’ve made a stressful, complicated task even more fraught. Layer in the frequently cited McKinsey report that 70 percent of all change programs fail, and it can seem downright impossible. But change management doesn’t have to feel so grim.

When you avoid the typical traps, build alignment, and act with conviction and consistency, success is possible. That was the situation I found myself in at the U.S. Central Intelligence Agency (CIA) in the early 2020s. These are the lessons drawn from that daunting but ultimately successful effort. 

When Structural Change Is an Imperative

In the 2010s, as the world emerged from the aftermath of 9/11, the CIA recognized that, for all the right reasons, its focus on terrorism had overshadowed the digital revolution transforming the world. “The Agency” had not introduced a new directorate for half a century, but in 2015 the Directorate of Digital Innovation (DDI) was launched to address the intense demand for digital transformation. During this historic reorganization, the majority of digital functions moved into the new directorate, with one major exception: Cybersecurity remained under the Directorate of Support.

Fast forward five years, and it was clear that keeping cybersecurity outside the DDI posed significant operational challenges. Cyber defense was often seen by mission components as a drag on their operations. The team was filled with talented, dedicated professionals, but their efforts were sometimes out of sync with IT delivery and data management initiatives. In addition, separating the cybersecurity team from the rest of the CIA’s digital experts was an unintended barrier to the kind of cross-pollination of talent that builds shared understanding and a joint sense of mission. There was a growing consensus that it was time to move cybersecurity into the DDI to fully integrate it into the CIA’s increasingly digital DNA.

As a senior officer in the DDI, I had some experience with digital transformation and change management in other mission areas. CIA leaders in all directorates are formally trained throughout their careers on how to manage change. Little did I know when I was first asked to take over as the new chief information security officer (CISO) how grateful I’d be for that training and experience.

Where Does Cybersecurity Belong?

As demands for cybersecurity have evolved, the question of how to position the team within the broader organization has received a lot of attention. In many organizations, business leaders feel that cybersecurity is a drag on their productivity, and cybersecurity practitioners think that business leaders “don’t get it.” It doesn’t have to be this way. There are principles that can help leaders achieve alignment between cybersecurity and the organizational mission. 

A fundamental principle that should guide alignment is that cybersecurity risk and operational risk are indivisible. If this principle is violated, alignment is impossible.

As I ramped up in my CISO role, it became clear that mission leaders didn’t fully appreciate the extent to which cyber risk directly affected their missions. I knew from decades of working side by side with these leaders how smart, capable, and professional they were. The misalignment had to be structural. These leaders and their teams wake up every day striving to do what’s right for the nation. I had no doubt that if cybersecurity were a bigger part of that picture in their minds, they would take it seriously. 

Making the Case for Change

The logical argument for moving the cybersecurity team under the DDI was clear: Integrate security more tightly across the engineering, data, IT, and artificial intelligence (AI) functions, so that the CIA’s digital teams could more efficiently and effectively support core missions. Our goal was to move security from being viewed as a roadblock to becoming a true mission enabler. But change management is never that simple.

We had to figure out how to embed risk ownership within the workflows across all functional areas so that everyone would take responsibility for it. In the ideal state, cybersecurity is so deeply embedded in workflows that gaps become self-correcting. Instead of vulnerabilities being identified by “outsiders” and fixes being pushed from above, it becomes a pull strategy from the frontline. 

Building the case for moving the cybersecurity team into the DDI and defining exactly how it would work was a methodical, studied effort that took all of this into consideration. 

The Building Blocks of Effective Change Management

Like my former colleagues at the CIA, I received excellent training over the years in the change management approach developed by John P. Kotter. His methodologies have long been a north star. If you need to launch a big change management effort, don’t wing it, and don’t try to recreate the wheel. There are excellent models to follow. Building on proven practices will take you further faster.

Beyond the tactical details, these are the six things I found essential to our success in implementing this significant organizational change at the CIA.

Craft a compelling story. Evangelizing change demands an extraordinary amount of deep listening, synthesizing, and storytelling. You have to move beyond the technical mindset and be willing to engage people at all levels.

Change management is a contact sport. I mean that figuratively, of course, but the point is that 70 percent of change efforts fail for a reason: Organizational change is exhausting! You overcome resistance by bringing people along and helping them see why the change you are advocating is important to them and the broader organization. To elevate the importance of cybersecurity and bring people onboard with the plan, I had to ensure that everyone clearly understood the collective risks we had to manage. Unless they felt the weight of their responsibility and incorporated it in day-to-day operations, there was no way to create a self-correcting system.

To accomplish this, my team and I took every opportunity to get in front of people—from one-on-one meetings to workforce communications to an “Ask the CISO” forum. People notice your accessibility. They feel your passion. The story you tell should resonate at both a logical and an emotional level.

Find allies early. Change management is a team sport. If you think you can effect organizational change through sheer force of will, you are in for a big surprise. In my case, the ally I needed most was obvious: the chief information officer (CIO). She was one of the most credible, talented, and inspirational leaders I’d met, and she enjoyed broad support across the agency. Luckily for me, she took cybersecurity extremely seriously, even telling her leaders that they needed to view cybersecurity as their “major” and IT as their “minor.” This was a remarkable thing for the CIO with an enormous charter to say, and it helped reinforce the call for change we developed and refined together.

The CIO and I were deeply grateful to have access to and support from the CIA’s executive leadership team. The deputy COO, the COO, the deputy director, and the director himself were fully aligned on the central importance of cybersecurity to the CIA's mission. When you are trying to drive change on a broad organizational scale, there’s no substitute for getting the bosses to reinforce your story.

Stakeholders who stand to lose something due to the change deserve respect and special attention. Thinking in terms of winners and losers isn’t a great way to approach organizational change, but in reality people don’t like to cede resources, mission, and influence. When it came to moving the cybersecurity team, we had an enormous advantage in that the deputy director of support—who stood to lose the cybersecurity team—was a mission- and people-first leader whose personal ego never entered the picture.

Once convinced that the proposed change was the right thing to do, she and her counterpart, the deputy director for digital innovation, worked hand in glove to ensure the many details underpinning this months-long change effort were handled quickly and effectively. Their selfless approach was an inspirational example of what can be accomplished when stakeholder alignment is strong.

Be ready for resistance. Whether resistance is rooted in comfort with the status quo, or there are cultural antibodies to change circulating throughout the organization, be prepared for various stakeholders to dig in and fight the change. Study your organization’s past change efforts so you know where the land mines are hidden. Many organizations have an official historian function that you can tap into. Or you may need to identify the de facto historians within your organization and ask them to educate you. They can help you fill in context, see patterns of resistance, and better understand any ingrained cynicism. Be resilient in the face of being told over and over that change is doomed to fail. Study hard, and trust the process.

Align the stakeholders. This isn’t a charm offensive. Change management is about understanding real concerns, unpacking existing incentives, and ensuring future incentives are aligned with the desired organizational end state. Always be ready to listen and take notes. This is the subject matter for the compelling story you are continuously refining.

One thing I could count on was the CIA’s legendary sense of mission. CIA officers are hardwired to do what’s right for the mission. If they think the right thing is to dodge the cybersecurity people standing in their way, they will. We had to show them that aligning with cybersecurity was the right thing to do. We developed risk visualizations keyed to the various Mission Centers at the CIA (analogous to business units in the private sector), and we taught the respective assistant directors in charge how to manage the risk they could now see with their own eyes. Once they could see how cybersecurity risk directly affected their world, we were able to get stakeholder alignment faster. This is a key point: You can’t just present the conceptual notion of risk. It has to be contextualized to have an impact.

To institutionalize support, you have to align incentives. How are people evaluated? What are the goals or key performance indicators they have to achieve? Are awards and bonuses tied to risk reduction in some way? In this instance, we also had to address their greatest concern head on—would more integrated cybersecurity slow the mission down? We committed to the goal of actually accelerating the mission when possible. And when acceleration wasn’t possible, we were transparent about our efforts to do right by our mission teammates.

Secure early wins. Punctuate your storytelling with tangible successes on a continuous basis, and highlight the many people across the organization involved in those success stories. (Sorry CISOs, the story isn’t about you. It’s about the people who lean in and make change possible.) During our efforts, we often highlighted junior employees to executive leadership, explaining how they were driving good cybersecurity across the agency. This ongoing process not only shows that change is possible but that it also creates a sense of contagious enthusiasm. If you can package this sense of progress into campaigns, all the better. 

Keep your timeline tight. Infusing the call for change with a sense of urgency is important, not only to generate excitement and momentum, but also because people tire of a change project that drags on. Tying an aggressive deadline to a big organizational goal or event can be highly effective. People don’t like to fail in general, and they really don’t like to fail in spectacularly public ways. Regardless of how you set up the timeline, make sure it’s clear to everyone involved what success will look like as well as how progress toward that success will be measured and conveyed. Also give some thought to the need for revisions, and build that factor into the timeline. Prepare for the reality that you might not get every aspect of the change project right, even if it’s successful overall.

At the End of the Day, We’re All Human

Change management isn’t for the faint of heart. If you are calling for change, people will push back. No matter what happens, lead with clarity and conviction—but also with empathy. You have to be ready to revisit the call for change on a moment’s notice, tell the story again, share the data, and put in the time with people at every level to bring them along. This is how you avoid contributing to the change management failure statistics.

If you find yourself getting overly frustrated or angry in the process, you might need to change course. If you are hitting a real roadblock—one that feels like failure in the making—perhaps you haven’t fully understood the concerns or aligned the incentives effectively. If it starts to feel personal and people are reacting as if being attacked, it’s time to step back and reevaluate. Run through the entire change framework you are following and look for steps you may have missed.

In any change, human emotion is a core driver. Remembering that is perhaps the most critical part of the process. If the dedicated professionals at the CIA—despite all the pressures and demands of their high-stakes mission—can navigate the challenges of change management, you can, too.

 

William MacMillan is chief product officer at Andesite, where he sets the overall product vision and strategy at Andesite. Previously, MacMillan was senior vice president for information security at Salesforce, and the CISO at the Central Intelligence Agency (CIA), where he led a sweeping transformation of the agency's cybersecurity strategy and organization. Throughout his career, which includes serving as an officer and a pilot in the U.S. Air Force’s Combat Rescue and Special Operations communities, MacMillan has focused on insider threat, supply chain risk, and incident response issues.

© 2025, William M. MacMillan

 

Focus on Change Management

Empowering Cybersecurity with Effective Change Management: Lessons Learned at the CIA

How to Steadily Navigate an Organization’s Path

Redefining Security’s Value Proposition After an Acquisition

Fast Facts: 6 Reasons People Resist Change

6 Books to Guide Change Management

5 Team Management Concepts for Navigating Organizational Change

Q&A: Change Management to Achieve Holistic Security

Turning Resistance into Readiness with Change Management

Best of Security Management

How to Create and Maintain an Effective SOC

A Cascading Crisis: U.S. Federal Prisons Grapple with Decades of Unsafe Understaffing

The Other Side of the Looking Glass: Providing Security for Marches and Rallies

Is Your Workplace Toxic? Here's What You Need to Do

Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

What to Add to a Rules of Engagement Document
arrow_upward