Q&A: Change Management to Achieve Holistic Security

Convergence between physical, cyber, and resilience has long been touted as a security industry best practice, but only 15 percent of organizations have integrated their security teams—and it’s not in the cards for most others.

Instead, recent research from The Clarity Factory, Holistic Security: How physical and cyber security can join forces to strengthen operational resilience, recommends pursuing cross-organizational partnerships and resource-sharing through a holistic security model. Those partnerships can improve security outcomes, especially around risks that are increasingly intertwined between physical and cyber teams. Additionally, a holistic approach strengthens operational resilience, enhances investor and regulator confidence, and drives efficiency.

Change management principles go a long way when pursuing partnerships and organizational realignment, says Rachel Briggs, OBE, CEO of The Clarity Factory. Security Management caught up with Briggs via email to dig deeper into holistic security models and practical steps to realize them.

The conversation has been lightly edited for clarity and length.

Security Management (SM). How does a holistic security model drive operational resilience? 

Rachel Briggs. There is growing interest in operational resilience from regulators and investors who recognize the holistic nature of the threat and risk environments for global businesses. As a result, business leaders increasingly demand a unified view of risk from risk leaders—including security—and recognize that silos are bad for business.

Physical and cybersecurity are responsible for the three critical processes of operational resilience: business continuity (50 percent of CSOs are accountable, and the other 50 percent are involved), crisis management (almost all CSOs are accountable) and disaster recovery (usually the responsibility of cybersecurity or the wider IT or technology team within which cyber sits).

To be truly operationally resilient, these three processes need to be knitted together like a strong rope, as opposed to three separate strands. Only then will the whole of operational resilience be worth more than the sum of its parts.

The biggest win from holistic security is operational resilience and those companies that achieve full maturity have weaved the processes of operational resilience together.

SM. Who needs to be at the table to form the partnerships that underpin holistic security?

Briggs. The CSO and CISO are the key partners in achieving holistic security—it rests on them being leaders who see themselves as risk leaders first, functional heads second, people who can put company before narrow team interests. Many CSOs and CISOs mistake good interpersonal relationships for strong functional partnership—it certainly helps, but it doesn’t on its own deliver multilayered collaboration, and it’s highly sensitive to turnover.

The most mature companies bring both security leadership teams to the table to deepen the connection, offer incentives for collaboration, and script the moves for all team members so everyone understands how things need to change and what they need to do to achieve a new way of working. Hands-off management and leadership don’t work when you are trying to bring about significant change.

Many CSOs and CISOs mistake good interpersonal relationships for strong functional partnership—it certainly helps, but it doesn’t on its own deliver multilayered collaboration.

SM. What change management principles are most valuable in breaking down those silos and developing a more cohesive security and organizational resilience approach?

Briggs. The most important success factor in any change management process is culture. As the former CEO of IBM, Louis Gerstner, said after leading one of the most successful and significant corporate turnarounds, “I came to see, in my time at IBM, that culture isn’t just one aspect of the game—it is the game.” 

The CSOs and CISOs we interviewed (for the Holistic Security report) recognized this, too, and one-third of CSOs ranked culture as the top obstacle to partnership with cybersecurity. The basic reality is that physical and cybersecurity colleagues speak different languages, have different perspectives and timeframes, and don’t understand what one another does. Even CSOs of converged teams acknowledged that putting people together in the same room doesn’t make them partner. They fall back to their legacy ways of working.

That’s why culture comes first in the Holistic Security Maturity Model, and why the model is designed to be nimble and flexible, because we realize that security teams have different cultures and need to take the basic principles and apply them in the way that works best for them and their organization.

SM. Why is it necessary to speak to participants’ emotional needs first when changing these models and behaviors?

Briggs. Human beings don’t like change. It’s scary because we feel exposed and it leaves us uncertain about how to behave. As a result, under pressure we tend to revert to what we know, our comfort zone. Given security teams work in very high-pressure environments, this makes it even more important to apply finely honed change management practices.

Too often, we assume that if we change structures and processes, behaviors will follow. This isn’t what happens. Human beings simply find ways to work around the new system.

Instead, change processes need to recognize the fact that change is scary and design in ways to make it easier to navigate. Be really clear about what behaviors need to change and how they should change—down to the micro level. Put in place incentives that reward change rather than status quo. Measure partnership behaviors, as well as security outcomes to shine a spotlight on colleagues that are adapting to partnership working. Be clear about roles and responsibilities so everyone understands what’s expected and how their work relates to that of their colleagues around them.

This puts guardrails around the change—making change feel safer and easier—and offers support to colleagues who find it difficult.

SM. Your report mentions making the right behavior easier and the wrong, legacy behavior harder. How can security leaders go about that without it feeling punitive, frustrating, or confusing for participants? 

Briggs. Clarity is the essential ingredient of effective change management. Renowned change management experts, Chip and Dan Heath, talk about the importance of “scripting the moves.” What they mean is that, as the leader, you have to break things down into bite-sized chunks so everyone understands how to be different and exactly what is expected of them.

Some might feel uncomfortable, like they are micromanaging their team. However, while being hands-off is empowering in business-as-usual teams or those where small-scale adjustment is needed, it is counterproductive where big change is needed. In those situations, your team needs clarity about what exactly needs to change and how, right down to the task level. They need to build new muscle memory to ensure they don’t fall back on the old ways of working when pressure builds, and you will all need to course correct as you work out what does and doesn’t work. You can only do that if you’re in the trenches with them, to a certain extent.

For today’s leaders, this seems counterintuitive. But everything we know about successful change projects tells us it is essential.

Clarity is the essential ingredient of effective change management.

SM. What should security leaders do now to start building partnerships to achieve holistic security?

Briggs. I would urge CSOs and CISOs to take four steps to start building holistic security.

First, start the conversation with your security peer. I’m hearing from countless CSOs and CISOs who are using The Clarity Factory’s Holistic Security Maturity Model to start a discussion about where they are on the maturity spectrum, the level of maturity they think would be right for them, and the next step they need to take to mature the partnership. For those who want to take the next step, they can use our Holistic Security Self-Assessment tool.

I’d highly recommend that when you have this discussion you take convergence off the table because it can lead to defensiveness. Regardless of whether it’s where you think you should end up, start the conversation with an open and curious mind.

Second, identify one or two low-hanging fruit and high-yielding opportunities where partnership will be a win-win. Make this specific, for example: How could you bring together physical and system access control data to get a better handle on impossible travel and insider risk? How can your physical and cybersecurity threat management teams share data sources? Or how could you partner with cybersecurity to boost digital security within your executive protection program?

Third, start socializing the principles and benefits of holistic security to your manager with tangible examples of the wins you have achieved for the organization. You might not have decision power over where you report, but you do have opportunities to influence, so use them.

Fourth, start somewhere and build patiently. You don’t ask someone to marry you on your first date, and you can’t expect full-blown partnership to materialize overnight. It takes time. Be patient, be persistent, stay positive, and see setbacks as opportunities to learn rather than a sign of failure. Holistic security is good for business.

Claire Meyer is editor-in-chief at Security Management. Connect with her on LinkedIn or via email at [email protected].