Case Study: Changing Behaviors at the Cyber Security Front Line
Those in the know predict that the cyber security landscape will likely get worse before it gets better. Symantec reported that in 2015 a record-setting nine mega-breaches occurred, with 429 million identities exposed. Many companies recognized this trend, making proactive investments in cyber security capability. However many assume that the risk is technical. Unfortunately the solution is a people one. It requires the application of cyber security change management in changing behaviors at the front line – our employees.
To meet the goal of protecting the organization from cyber security threats, technology-based solutions alone are insufficient. Even the best technology is inadequate if human operators are unaware of their role in mitigating the threat. To engage the human factor, behavioral change management plays a critical role in the deployment of any cyber security enhancement project. This is particularly important when seeking to get ahead of the curve or when the corporate perception of risk is lagging.
MI-GSO | PCUBED was engaged by an Oil and Gas major in providing cyber security change management services. Working with the client to implement an accelerated cyber security program focused on resilience, presented a unique set of challenges for the team. Especially during such a tight economic backdrop.
One key project focused on removable media (such as USBs, smart devices and portable hard drives) as a threat vector. While well-funded by the enterprise, the accelerated pace in driving change across the diverse business units required careful planning.
Building Cyber Awareness with Change Management
When undertaking the proactive cyber security change management initiative, it was essential to quickly and clearly articulate the risk. As stated above, many employees and consultants are unaware of their role in mitigating a cyber threat. Step 1 in any change management initiative is building awareness around the need for change.
In the evolving risk landscape, many may not understand the mechanisms by which malicious code can be transmitted. Like a flu virus spreads through an innocuous handshake, so can malicious code through thoughtless insertion of a USB flash drive into a corporate network.
USB has been identified as the primary method to spread STUXNET. It was a malicious worm notoriously used to target Programmable Lifecycle Controllers (PLC) within automation systems. In the energy industry, specifically the industrial control systems (ICS) space, many networks are operated by facility / mechanical engineers. The sector also leverages vendor-rich resource pools. These two groups often have higher demand for file transfer flexibility. Meaning the likelihood of USB usage is higher. But these resource groups are also typically outside the usual corporate IT messaging and communication channels. In order to be aware of the need to change, one must find a way for the message to reach them first.
Defining a Communications Plan
The best way to strategize how to reach the intended audiences with messages is through a communications plan. Communications is one of the key aspects of change management. In your communications plan you will define tailored, targeted messaging, along with appropriate feedback mechanisms. The aim – to ensure the right messages reach the right people in the right ways, and at the right times.
A change management communications plan, like the one provided below one, identifies the type of communication, who it will go to, key messages, frequency, owner and typically the medium. The medium is how the communication will be delivered.
The team tried several different communication methods, including traditional and non-traditional on this project. Each method was used to target a different change benefit, whether that was increasing adoption, engagement, awareness or perception.
Key recommendations for your communications plan:
The team utilized an additional communication channel for this project that worked rather well – the user group. When developing a solution you wish to resonate with end users, it is useful to demonstrate knowledge of the procedures and controls currently in use within the business. The project team used surveys to gather “current-state” data from each end user group. The team then validated the findings back with the user groups to ensure buy-in. This also ensured any recommendations proposed were demonstrated to be fit-for-purpose with that user group.
Engaging end users in the conversation from this early stage builds the omnipresent foundational layer of all change models – Awareness. Ensuring a thorough knowledge of the baseline practices also provided the opportunity to develop use cases in-house; acknowledging home-grown expertise within the company, proven to fit current operating models.
Roadmap to the Desired State
With a foundation for change built through Awareness it was time to start to actively manage the change. As deployments commenced, the MI-GSO | PCUBED team began championing early adopters to share success stories and case history. This aided the project team in demonstrating the benefits of the action to the rest of the organization. Evidence of improved detection rates are gold for a pro-active cyber security project. Driving desire for change by demonstrating that the problem exists and that you have successfully mitigated it, all-in-one.
This project had encountered some end user resistance requiring mitigation. Some resistance was based on perception of low return on investment in the current fiscal climate. Conversely, other stakeholders suggested that the solution did not go far enough. Or that the solution provided only a low value-add intermediary step, which could cause a need for re-work in future. To satisfy the arguments, it was necessary to demonstrate the investment to be incremental, agile and supportive of current business practices. In essence the team needed to build a roadmap to the future state, laying out clearly the steps involved in getting there.
Integrating cyber security is a modern cost of doing business, making many cyber security projects a matter of compliance. Proving measurable benefits (through championing of early adopters) in the short term, and providing a clear and concise road map for building out the capability over time, provided ample fodder to build up that desire and reduce adoption resistance.
To help users understand the incremental approach, the project team leveraged industry best practices such as P3M3 and BISSM to design a maturity model to assess people, process and tool capability. Business units were measured against the model, and required actions and recommended practices were tailored to their current state. Business units with below average practices were instructed on how to meet minimum bench marks with a focus on how this initial investment could be built upon as the processes matured.
Helping stakeholders and end users to understand the threat and change behavior, rather than rely on technology alone to mitigate risk, is not a small undertaking. The optimistic human condition can make it challenging to build up excitement when the risk doesn’t yet seem real to users.
Supplementing change tactics with proven tools and techniques from three of the four MI-GSO | PCUBED service lines; program delivery using AGILE, change management, and enterprise project delivery helped ensure project success. The change management team found that early and active engagement through existing channels, and leveraging an Agile, incremental approach to solution design and deployment goes a long way to breaking down resistance and enticing users from all fields into the mindset of maintaining a healthy cyber security posture.
To read more on how to apply an agile change management approach check out our case study Change Management for ERP Systems.
Loved what you just read?
Let's stay in touch.
No spam, only great things to read in our newsletter.
We’re committed to your privacy. MI-GSO | PCUBED uses the information you provide to us to contact you about our relevant content and services. You may unsubscribe from these communications at any time.