"By any objective measure, the amount of significant, often traumatic change in organizations has grown tremendously over the past two decades." – John P. Kotter.
News, media, and socials, it seems as though change management permeates our feeds, catching the eye of the C-Suite, HR departments, and IT teams, sweeping projects across the globe. Professional associations are gaining presence, with job opportunities popping up all over the place.
Stemming from the security industry, I love it, but my prevailing thought? ‘Oh crap.’
We’ve been here before, and to much degree, we still are—broad, all-encompassing terms confusing the discipline. You work in security? Oh, you must do cyber. Probably a mall cop. Can you break into a bank? Can I get an extra proxy card? (Yes, somewhat tongue in cheek, with a nod to cringeworthy jargon still used today)
Change management? My company has a department for that; I’m hands-off. Our IT handles change management. They assigned a project manager. However bleak, in essence, great. These are statements from organizations that are doing something.
On the bright side, with change management’s pervasive absorption of professional environments, boards are listening, leadership is talking, and downstream departments are, well, grappling.
With change management encircling your business, how do you know when and what type of change management to use? Isn’t CM just CM?
For this article, we will look at three common areas of change management:
Project Management
Information Technology
Organizational Change
I'm ecstatic that more industries are incorporating change management into their practices. Since they are based on similar principles, this strategic move positions them well for success in their respective transformative goals.
Wait. If change management is based on the same principles, doesn’t that make it the same?
Sort of, but no. Let’s explore.
There are several associations and think tanks on change. One such scholar is William Bridges; he created the Transition Model to help individuals manage and navigate through the human side of change. Bridges looks at change as situational, for example, moving to a new location, upgrading security systems, implementing analytics, or the convergence of cyber-physical security. In business, we deal with change and different types of projects daily, often to a burdensome degree.
Interestingly, Bridges describes transition as psychological, which is what happens in people's minds, that change cannot happen without people, and without transition, you have a change which people simply won't follow.
Everett Rogers developed one of the oldest social science theories, the Diffusion of Innovations, in 1962. The theory explains how an idea or product gains momentum and spreads through a group, resulting in people adopting a new behaviour, idea, or product as part of a social system.
Adoption involves a deliberate shift from an individual's current actions or customs to being in alignment with the desired future state. Rogers’ viewpoint of adoption is how the individual perceives the idea, behaviour, or product as new or innovative.
Yet, Kubler-Ross outlines stages of grief, denial, anger, bargaining, and depression before acceptance. People tend to fear the unknown, such as job security, adapting to new systems, their workload, or new reporting structures, and viewing change as an unnecessary extra effort.
Therein exists a magnitude of reasons not to change.
Individuals generally need to alter their views or behaviours, leading to change resistance. Beliefs may have to adjust -we often see this with DE&I - I'm not bad, so why should I change? - There is learning and unlearning that may have to occur. Losses, and therefore grief, have emotional consequences, even if losses are subjective and not understood by others. It is important to note that individuals will revert to past habits or behaviours where a change is improperly managed, exhibiting lower motivation and trust with higher apprehension, absenteeism, and turnover.
Project Management
Managing projects and effecting change are different but complementary. They often intersect and depend on each other to produce value; however, the extent of codependency varies based on organizational structure, type of change, methods used, capacity and change maturity levels. Nevertheless, combining project and change management is beneficial and often logical to meet shared objectives.
The Project Management Institute, PMI, is a professional organization recognized as the leading authority on project management (PMI, 2023). It developed the Project Management Professional, PMP, Certification and global standard, the Guide to the Project Management Body of Knowledge (PMBOK Guide), which defines a project as:
“A temporary endeavor undertaken to create a unique product, service or result. (PMI, 2017)”
That is a product, service, result, or a combination of the three, with a defined start and end date. Project management applies to projects of any size or company, as it brings structure to operations, manages budgets and schedules, and documents accountability to completion.
Notice that project management focuses on tangibles, such as generating something people can see, touch, feel, or use. Project Managers (PM) will also be familiar with change management plans, another type of CM existing within a project management plan that handles governance for project-related change.
Excitingly, PMI offers micro-credentials for advanced learning opportunities in OT, Organizational Transformation (sorry techies, not Operational Technology). PMI states, “OT is a process of significant and comprehensive change in an organization's structure, culture, and strategy. (PMI, 2023)”. Okay, getting warmer.
OT PM supports organization transformation IT projects. It is important to point out that project management itself is a non-technical discipline. While advanced PM training benefits understanding of technical project delivery, it does not replace the technical expertise required by IT, digital transformation or organizational change.
Retaining a dedicated PMP may be most valuable if your company is preparing to undertake a large, multidisciplinary project. A disciplinary-based PM, while still likely a skilled project manager, may focus where they are most comfortable, which is within their line of work. This means interdisciplinary teams may risk balanced coordination or have project meetings derailed by impromptu workshopping (i.e., taking the technical work upon themselves). A neutral and dedicated PM may best serve your project, and safeguard agendas, thereby time and costs, with appropriate attention to the right things.
Information Technology
You’ve likely by now heard of digital transformation or Enterprise Resource Planning (ERP); these types of corporate overhauls cover a broad range of initiatives such as cloud computing, process improvement, artificial intelligence, or migrating from analog services to digital ones, like asset tracking, VOIP or chatbots. Typical ERP implementations include Customer Relationship Management (CRM), Financial Accounting & Reporting (FAR), Human Capital Management (HCM), and Supply Chain Management (SCM). Their outcomes aim to optimize, streamline, and improve overall business agility, competitiveness, desirability, and governance, to name a few.
Because IT initiatives have a beginning and an end and produce a product, service, or result, they benefit from project managers. Their complex nature highlights the need for advanced PM knowledge and skilled technical talent. However, IT Change Management falls under the umbrella of IT Service Management.
ITSM maintains consistency in procedures and policies, including configuration management or system lifecycles, while implementing changes with minimal impact on IT services. ITSM follows a change management process often involving three rudimentary phases: Request for Change (RFC), Approval, and a Rollback plan. Rollback safeguards system changes negatively affecting business operations by reverting to its previous state. The extent of each ITSM CM phase is complex, with formal policies, reviews, approvals, and documentation requirements, which are not the focus of this article.
ITSM digital transformation is, as we saw earlier, a temporary endeavour to create a unique product or service. It is, by every definition, an ITSM project focusing on its result of being a way to do business through an IT application.
Training
Training included as part of the rollout – good enough?
Security Operators are all too familiar with project-mandated training. Standards often require instructor-led training, train the trainer or other scripted on-the-job methods. Written as specifications, these training practices achieve one thing – substantial completion.
Project-based training provides step-by-step instructions, common scenarios, and pre-defined examples following significant system upgrades. Rightfully so, system operators and owners are responsible for using and maintaining their systems. So why are so many new systems ineffectively operated or performance expectations unfulfilled? The short answer - project responsibilities are temporary.
The training takes place over a few short sessions to meet compliance before the contract concludes, the project team disbands and moves on to the next assignment. System operators are deeply embedded in familiarity with legacy processes, instinctively executing upon past procedures and programming. And it doesn’t end here. Even after a successful ERP implementation, people still use static spreadsheets. Maintaining offline customer lists renders CRM systems inefficient. FAR cannot generate accurate financial models where costs, revenue, or pipelines are held back.
Organizational Change
Companies undergo several different types of organizational change to improve efficiency, reduce expenses, or respond to markets. Other changes are implemented to address personnel concerns or improve the overall culture. Common organizational changes include structural, process, cultural, and strategic change. Structural change involves reorganizing the hierarchy or departments within a company. Process change consists of changing how work is performed. Cultural change may affect the values and beliefs of the organization, while strategic change could shift the overall direction. Each type of change requires careful planning and implementation to become successful and sustainable for all involved.
Notice here that although these may seem like projects on the surface, the profound impact is on humans and their behaviour. Is it rational to approach a human-centred project by the same means as an inanimate project or application? There is no human rollback switch if outcomes fail to meet objectives.
Earlier, we touched on how CM focuses on the human side of change. Successful adults are unlikely to adopt new ways unless they feel pressure or have the necessary tools and incentives. Organizational Change Management (OCM) educates and provides a framework to help understand the benefits of change, with culture and behaviour playing a critical role in the success of such initiatives. Coherence, transparency, and support of messaging guide people to understand what they need to know and do and outline expectations for ongoing performance and support to promote sustainability.
Regardless of chosen OCM tools, always prioritize the human side of change. Change can occur relatively rapidly, but the process of transition takes time. Transitions can radically impact organizations, including adverse psychological effects on individuals that can collectively be catastrophic. Damaging effects can lead to increased vulnerability to competition, unintended costs, deterioration of organizational culture, change fatigue and change saturation.
Qualified resources are advantageous. Just like project management succeeds projects and IT handles ITSM initiatives, having change leaders, change agents, and a change management team steers OCM. When creating a change management team, CMT (not a crisis team), it's important to identify key personnel responsible for and impacted by the change through stakeholder analysis. Tempting as it may be, individuals in positions of power without appropriate OCM knowledge or interest should be categorized as such and placed appropriately on the stakeholder register. Sponsors and stakeholders will need guidance, but experienced and qualified individuals must take on the responsibilities and accountability of Sponsorship and Change leadership to steer the craft.
Corporate Security and Organizational Change Management
My company has a department for that; I’m hands-off. - Not so fast, Mx. CSO.
The security function's structure, processes, culture, and strategy are complex and sophisticated, even for experienced security executives. Would you be comfortable entrusting your organization's security to someone with little to no knowledge in this area? Is it a risk worth taking?
OCM often resides in business operations or the HR function, but its purpose is to assist you, your team, and your objectives in achieving success for the greater organization. Having a security strategy, plan, resources, and operational requirements established, presentable and well articulated will further support approvals and authority to manage your business. Your recommendations will lay the foundation for change objectives and success criteria.
Security Organizational Change Management, SOCM, brings together the facets of security management with change management, for sound advice and planning directly related to security operations. Security leaders are under constant pressure to keep up with technological advancements, business processes, and the high expectations of stakeholders and clients. The risk landscape is constantly changing, requiring constant vigilance and the ability to respond quickly and relevantly. SOCM supports the strategy, vision and execution for long-term, innovative planning.
Effective change management is key to achieving transformational goals. Although it can be complex, awareness of specific areas such as project management, information technology, and organizational change can better determine the most effective approach and timing. It's important to remember that change affects people, so attention to their experience is of the utmost priority. With skilled resources and a human-centric design, organizations can overcome challenges and achieve desirable outcomes.
Ter is an ASIS Certified Protection Professional, ACMP Certified Change Management Professional, and ISC2 Certified in Cybersecurity. She owns Portcullis Modern Inc., an advisory firm specializing in management consulting for security professionals.
If you're interested in discovering more, check out www.portcullismodern.com and reach out. SOCM, security management consulting and advisory services are designed to help businesses like yours.
Comments