Why Change Management Is Important
In your business, change brings you new capabilities, better efficiencies, and creating new ways of doing things. Change erases poor processes rife with wasteful steps, eliminates toxic leadership, and retires substandard products. Thus, change can be a very good thing.
The change also can introduce significant risk to you and your organization. In fact, periods of change are where most risk is introduced. Changes in personnel, process, and products represent a great risk to you and your business. You need to be keenly aware of the change and be prepared to manage it as part of your risk management process.
Your risk environment is complicated. You and your organization face an ever-evolving threat landscape replete with increasingly sophisticated cyber threats and malicious bad actors. Attacks can range from cyber “weapons of mass disruption” such as distributed denial of service (DDoS) attacks and zombie infestations up to and including finely tuned, exquisitely researched, and implemented focused attacks specifically targeted against you and your information.
There are many capable bad guys out there who can ruin your day (and your business) just by hacking into your computer systems and gaining access to your information.
But what if somehow these bad actors were aided inadvertently by someone in your organization? What if your own organizational processes were a mechanism that enabled a bad actor to gain access to your vital information? Sadly, this happens all too often. The Gartner Group estimates 65% of all cyber attacks exploit misconfigured systems.
We actually think that figure is too low. We submit that the likelihood that someone specifically targets you or your business is fairly low, yet with hackers and the curious using tools like Nmap and Nessus to scan the Internet continuously for vulnerabilities and Metasploit to exploit discovered vulnerabilities, if you have a misconfigured system, chances are very good that someone will find it and potentially exploit it.
Cyber attacks can wreak havoc on your business and drive huge losses, cause potential litigation, and lead to loss of precious momentum. So can system downtime caused by your own people. Gartner research estimates that the average cost of downtime for a small- or midsized business is approximately US $42,000 an hour, but for larger companies or e-commerce models, this number can easily reach six figures.3Most businesses, including yours, cannot afford to absorb the damage that downtime produces.
Regrettably, most downtime is found to be a self-inflicted wound. According to the Yankee Group, an IT research organization, over 62% of all network downtime is caused by configuration errors. Downtime is a denial-of-service attack against you and your business that costs you precious time and money.
For your IT staff, it is a catastrophe and professional embarrassment. It also is a time when even more configuration errors that can expose you and your business to additional risks inadvertently may be introduced as the staff scrambles to restore service as fast as possible.
We advise that the best thing executives can do during periods of downtime is to remain calm, ensure the IT staff has the right resources (i.e., time, people, and tools) to properly restore services, and, after restoration, order a thorough vulnerability scan to ensure that the “fix action” did not introduce a new vulnerability.
With IT systems and their associated code being so complex, one can see how easy it is to mistype a digit or miss a step in a procedure. Nonetheless, with the consequences of downtime or exploitation presenting such a high risk to you and your business, you cannot afford such missteps. You need to ensure that any changes to your security baseline are closely managed and risks controlled.
Many businesses are required to have change management controls as directed by such laws and regulations as the Sarbanes–Oxley Act and the HIPAA. If you are part of an organization operating or supplying critical national infrastructure, change management controls are mandatory to ensure safety and security.
Shareholder and regulators both look to see whether management is effective in making information secure in accordance with mandatory controls and industry best practices. Failure to comply and deliver satisfactory results clearly (and appropriately) is viewed as a management failure.
Billy Crystal says, “Change is such hard work.” It indeed is hard work, yet change is a fact of life that occurs in both your home and business environments, in available technologies, and in personnel and processes. In order to manage your cybersecurity risk, you must tightly control your change management process.
WHEN TO CHANGE?
Many people know they have to make changes, but don’t know when to pull the trigger. They look at the risks associated with a proposed change and determine they don’t have the appetite to accept the risks. Others are comfortable with the way things are and don’t see the need to change.
After all, they have benefited from their current processes and products and see no need to change. A third group recognizes the need to change and is continually looking for new and better ways to posture their business to produce high-quality products valued by an ever-increasing market, but haven’t yet decided on their next steps. Do any of these describe you and your company?
Obsolescence: Obsolescence is a significant driver in spurring change. For example, chances are very good that if you ask one of your employees under the age of 25 to use a typewriter and carbon paper to type a memo, they will look at you as though you have three eyes and are speaking to them in Klingon.
How many businesses still have type-writers? When was the last time you used carbon paper to make duplicate copies of your documentation? Have you ever tried buying carbon paper lately? While it is still made (in much-reduced quantities), it is increasingly difficult to find in stores.
Good luck too in finding typewriters because computers and printers have virtually rendered typewriters obsolete. Even if you have a secret love affair with your trusty IBM Selectric III and want to continue to use typewriters and carbon paper (if you can find them), the obsolescence of the technology does not make it a good fit for today’s competitive business environment. You need to change.
Obsolescence doesn’t only apply to storage media and hardware. In fact, it happens with software at a much greater and faster rate and often drives significant investments in time, staff, and other resources to ensure that your software remains current and protected against threats. This applies to both your home and your office.
Let’s look at a home example first. You may have a Dell computer loaded with the Windows XP operating system. You may use the computer to manage your finances using your trusty Quicken software, play solitaire and other fun games that you’ve mastered over the years, and type letters to friends using your WordPerfect word processing software and printed on your ancient Epson printer (it is a good thing you stocked up on its ink cartridges as they are getting more expensive and difficult to find!).
What do you do if the computer dies? Can you migrate your software over to a new computer? Probably not as the software was written for a specific operating system that is no longer supported by Microsoft and most likely wouldn’t work on your new computer’s chipset. Even if it did, you probably wouldn’t want it as the security of older code is suspect and the newer products are orders of magnitude better in terms of security and performance.
In fact, if you do have that trusty Windows XP computer, we recommend you back up all your information and make certain you do not connect it to the Internet as there are legions of bad actors ready to exploit old systems out there looking for it!
Examples in the office aren’t this easy and straightforward. Office environments typically are more complex and involve significant numbers and types of computers, network devices, and software packages that all have to work together to support your business effectively, efficiently, and securely.
Each of these pieces of hardware and software experience has different and independent cycles of required upgrades and patching that maintain your cybersecurity posture as well as market currency.
Choreographing the upgrades so your network continues to work well in support of your business while remaining secure from the vulnerabilities that expose you to risk is a daunting challenge and a principal concern of your IT staff, your CIO, and risk managers. It should be yours too!
Let’s say, for example, that your organization not only has its corporate intranet to handle internal business but also it has a robust web presence with web pages that advertise your products and services. Because you operate in a competitive global market, your web page is critical as one of your core services is to provide timely and accurate information to your current and prospective customers.
Unfortunately, several of your firewalls are misconfigured; you are running out-of-date software; and you have a back-log of uninstalled security patches that have yet to be installed, including the latest version of the Microsoft Server operating system used by your servers. Would you be surprised if hackers discovered these deficiencies during their persistent scanning of the Internet? We wouldn’t.
Best value is the second cost driver that influences change. As an executive, you make decisions every day that involve the best value. You decide how to allocate resources for the best effect, what processes to use, and how to invest in the future.
The author has a personal example that illustrates how best value determinations affect change. Several years ago, the author was recently assigned to a new position as the IT director for the Air Force’s human resources organization. The organization was still reeling from a major failure in the rollout of the new military personnel system under the previous leadership regime and was gun-shy of any new changes in technology.
When the author arrived, he found a mishmash of servers, software, and network equipment from nearly every major vendor in the market. It was as if the organization had decided to say “yes” to every salesperson who ever visited. The equipment filled the server room to capacity and strained the facility’s HVAC and electrical system.
The host of contract and direct employees needed to operate and maintain the systems continually jockeyed for precious desk space, heightening an already peaked stress level.
I knew we could not continue to operate this way and ordered a junior officer to lead an assessment of the operating environment. I trained the officer how to determine its total cost of ownership and set him loose to assess each system. What he found made our next steps clear. We were extremely inefficient.
The servers in the fleet were beyond their manufacturer-recommended service lives, were expensive to operate and maintain, were operating below capacity, and were spread across racks that were not filled to capacity. Given the officer’s report, I commissioned two independent studies to evaluate consolidation of servers using a technique called virtualization. One would be conducted by in-house personnel, while the other would be conducted by a contract consultant who specialized in server consolidation and virtualization.
The reports came back quickly with nearly identical recommendations: consolidation and virtualization would save us over US $1.5 million in direct costs, would allow us to reduce staff by 25%, and would reduce our facility footprint by over 65%, helping us avoid costly upgrades to our HVAC and power systems. It clearly was indeed the best course of action.
The fact that their recommendation was the same as an “expert” gave leadership and my staff the confidence to take the next steps toward the change we elected to make. After gaining approval from our agency head and the other managing directors, we moved forward with the change (managed exceptionally well by that junior officer) and executed the plan without any downtime to business operations.
We made the change because it clearly was the best value proposition. We were able to operate at an equal-to-or-better level of service, we significantly reduced operating and labor costs, and we avoided costly facility investments if we stayed the course with the existing systems. We changed for the best and our leadership and key stakeholders appreciated the results!
Do you look at the best value when making change decisions? Do you look beyond the initial price tag to see if there are any second- or third-order effects (such as what we found with power and HVAC)? Are your hardware and software solutions the best value for you and your business? What changes are you looking to make?
Competitive advantage: The third motivation in making change is to maintain a competitive advantage. A great example is found in baseball and “Big Data.” “Big Data” refers to the huge amount of unstructured and structured data available through automated systems and the analytical tools that are used to convert raw data into actionable information.
As popularized in the book and subsequent movie “Moneyball,” “Big Data” in baseball saw its start in 2000 with Oakland Athletics general manager Billy Steve’s adoption of analytical information to guide personnel decisions.
One of the principal responsibilities of general managers is to form the teams; they acquire, trade, and assign the players. Steve knew from his owners that he had a limited budget to form his team, and he wanted to find the best value players to remain competitive. He hired a team of analysts led by his assistant, Paul DePodesta, who used computers to analyze the mounds of baseball statistics to determine the best candidates to fill the team given the resources available.
Not only did they find the best players to meet their budget; they also used statistics to help guide game strategy, such as providing actionable intelligence on batter’s vulnerabilities to certain pitches and strike zone locations, determining whether bunting was an effective tool, and positioning of players in the field in certain situations. Using “Big Data,” Oakland was able to field a team that fit within their limited budget and became highly competitive against teams with much higher payrolls.
Are you thinking about making a change in your organization to gain or maintain your competitive advantage? Are you thinking about using “Big Data?” Are you thinking about changing your software or hardware to produce at higher speeds or with greater precision? Are you thinking about introducing new products and services to meet new demands in your market?
During the course of your career, you will face decisions to make changes that address obsolescence, best value, and competitive advantage. You may deal with them simultaneously or individually. Regardless of what type of change you make, be careful. Failure to manage change effectively may lead to the breakdown of your security management program and increase your risk exposure as new vulnerabilities are introduced across IT, financial, and operational systems.
Without an effective change management process that provides direct oversight and monitoring of change controls across every system, device, and application, organizations cannot adequately protect themselves from risks.
WHAT IS IMPACTED BY CHANGE?
People: Change impacts many things in an organization, but the most obvious and arguably the most important is the impact upon people.
Changes also can affect how employees perceive the company and can influence their sense of loyalty. Loyal employees tend to work harder, create better products and services, and engender a positive attitude that permeates the organization. They also tend to retain loyal customers as well.
Employees expect that loyalty is a two-way street: they will be loyal to the organization and the organization will be loyal to them in turn. Change can introduce the stress mentioned above and may even cause some employees to question your loyalty toward them and their loyalty toward you and the organization.
Some people may lose their jobs or have their jobs redefined as a result of the changes you direct. The key to maintaining employee loyalty is leadership. Be honest and truthful. Clearly communicate the “why” behind the change and define roles and responsibilities. Hold people accountable (including yourself!) Treat everyone with dignity and respect. Demonstrate through both your words and deeds that despite the impacts that the changes will have on people, including layoffs, that people are your most valued resource.
Those who lose their jobs but are treated well as part of the change process are more likely to retain a measure of loyalty and fondness, are less likely to engage in acts of sabotage or malfeasance, and generally are more productive through the change process.
Service level agreements:
Changes also affect your client and service provider relationships. Many organizations have service-level agreements (SLAs) that define specific performance levels that service providers provide to their customers. Typical example performance measures in SLAs include such items as minimum standards for network uptime and availability, help desk and maintenance response, and timelines for account creation and password reset.
When you make a change to your computer systems, you may inadvertently cause an impact to your customers and business partners. Likewise, when they make changes to their environments, you and your organization may be affected. As you lead changes in your organization, always remember to ask, “Who does this affect both inside and outside of the organization?”
Your staff may have blinders on that only allow them to see how changes affect their specific area of interest. Strive to broaden the aperture to specifically guarantee that any effects to your clients are properly identified and addressed. Likewise, be vigilant with your service providers to ensure that your best interests are protected as they make changes.
In fact, make it part of your SLA with them that any and all of their proposed changes affecting your service must be communicated well in advance so that you can conduct an appropriate risk analysis. Contracts: Service-level agreements are contracts but they are not the only contracts that change can affect. Labor agreements, maintenance and service contracts, and acquisition and purchase arrangements should be reviewed for impacts before implementing any changes.
You may find when you implement a change in product or procedure that you also have to change contracts. For example, an aerospace firm that transitioned from using specialty alloys to clad the wings of its planes had to buy out a long-term contract with its suppliers when the market demanded that it transition to composite materials; they no longer needed the specialty metals.
In another example, when a firm converted from an Oracle to a SQL database, one of their costs was to terminate their Oracle support contract. A school district found after they purchased tablet computers for their students that their consumption of paper dropped precipitously.
Although they had a long-term firm-fixed-price contract with a paper supplier, they were able to renegotiate the contract to accommodate the change in requirement. In a final example, when a manufacturer automated its assembly line, many employees were made redundant. The collective bargaining agreement signed with the employee’s union called for company-funded retraining and preferential hiring into company vacancies.
We recommend you, your general counsel, your business managers, and your contracting specialists carefully review change proposals to ensure there aren’t any unexpected consequences hidden in any of your contracts, agreements, or purchasing arrangements. If so, that may increase both your risk and your costs.
Capacity: Changes also may impact your capacity. Most people implement changes to increase their capacity. Increased capacity generally equates with increased potential and increased profit. Many people view it as a good thing.
Nevertheless, be careful.
Increased capacity that is excess to your needs can be a bad thing for many organizations. While having the elasticity to expand as demand increases is a requirement in nearly all businesses, unused excess capacity is wasteful, adds drag to your organization, reduces profits, and can introduce increased risk.
You wouldn’t accept paying rental fees or positioning security guards at an old empty decrepit warehouse down by the river, would you? Should you do the same for the data warehouse sitting idle on the floor of your server room? Perhaps not. As cost models for data storage continue to drop per terabyte,9 investing in huge storage devices may or may not be your best investment. In fact, purchasing storage from a cloud-based provider may present a better value.
Your excess capacity may also increase your risk. As an example, cybersecurity best practices call for a defense-in-depth approach. This means that rather than relying solely on the defenses at your outer network boundary, such as your firewalls and external router security configurations, every device on your network should have cybersecurity protections.
The author is aware of an organization that had an unused server that was held in “strategic reserve” in the event that additional storage and computing power was needed in the organization. It had been a frontline server that had been replaced during a planned program upgrade (read that to mean “a change”), yet the network manager decided that since the server was still working well and was covered under the organization’s enterprise maintenance and licensing agreement, he’d keep it “just in case.”
Over time, the server sat in a rack waiting for something to do yet was totally forgotten when the network manager left the organization. Neglected it sat. It was turned off yet sitting in its rack poised to spring into action to handle the next call to process information.
Sadly, that day came when a new and very curious technician saw the idle server and decided to turn it on to see what would happen. The server, which hadn’t received security patches in nearly two years, suddenly popped up on the network and was promptly infected with malicious code that allowed a hacker to plant a RAT into the server and attack the network.
The technical team spent several days fighting the effects of the hacker, and the resulting disruption to business operations was significant. If you are looking for a moral to the story, having a backup server to provide extra capacity is not necessarily a bad thing, but you need to have a change management plan when you introduce additional capacity. This organization didn’t and it harmed them.
Changes can also decrease your capacity. If you have a smartphone, you may have already noticed that with every operating system “upgrade,” your manufacturer offers to push more features to your device so that the available storage space for your applications, music, and photographs dwindles. The same thing happens with your business systems as new and improved software and patches are installed on your system. Beware of software bloating!
Software bloating is a term that describes when successive versions of software become noticeably slower, use more memory or processing power, or have higher hardware requirements than the previous version while making only dubious user-perceptible improvements. Software bloating actually decreases your capacity and may hinder your performance, thereby increasing your risk.
We recommend that anytime you make changes to your software through patches or upgrades, you thoroughly test it whenever possible in the event that it has negative effects on capacity and performance. If it doesn’t work as planned, having a plan to return to previous successful versions is always an insurance policy you want to have.
Security: The final thing impacted by change is your security. Your cybersecurity posture will never be static. If your security officer is telling you that nothing ever changes, we submit maybe it is time to change your security officer. Of all the environments where your organization operates, the cyberspace environment arguably is the most dynamic.
New threats and vulnerabilities emerge every day. As your systems and software age, hackers and other bad actors figure out new ways to exploit weaknesses. Mechanical parts in your computers sometimes malfunction too, causing a denial of service to those who have not adequately provisioned backups. Mechanical problems are not the only computer malady that can deny you access to your information. Your computer may even suffer the equivalent of a heart attack!
Many computers suffer from a condition called memory leakage. Memory leaks are caused by defects in software that incorrectly allocates memory. Picture your computer working by constantly shuffling data between the central processor and memory units. Over time, some programs do not release memory back to the system when they are done with their processing.
This is like plaque accumulating in your arteries. Over time, unless you clean the memory by periodically restarting the computer (aka making “a change”), the memory will continue to fill up with remnants of previous processes until it doesn’t have sufficient memory to process anymore and locks up.
It has the equivalent of a heart attack! While you can do a reboot to restart the device after it locks up, you likely will lose all the information you’ve created since your last save, lose time, and are denied capabilities. While improvements in software have reduced memory leaks significantly, the risk is still there, and many network professionals will schedule reboots as part of a routine maintenance cycle.
A more common cybersecurity risk associated with change deals with patching.
Some programs and operating systems have a series of patches and detailed instructions.
It is easy for both rookies and experienced technicians to make mistakes when patching systems, particularly when they are rushed. Three things can happen when patches are applied and two aren’t good. The first thing is that all goes well and there are no problems. The second is that the patch does not go well and your technical team struggles to restore capability while your business suffers from the denial of service. The third thing (and arguably the worst) is that the patch doesn’t work as planned and your environment is exposed to unacceptable risks.
Change impacts many things in your organization, principally your people, service level agreements (SLAs), contracts, capacity, and security. You should always plan changes to your information environment carefully to ensure you are conducting the due diligence and due care that your information deserves. Remember that due diligence refers to your activities to identify and understand the risks facing your organization.
Due care demonstrates that you have acted in a prudent and appropriate manner to protect the organization, its resources (such as its information), and its people from possible threats. Always have a plan when implementing changes to your information environment and recognize that even seemingly small changes can have big effects.
CHANGE MANAGEMENT AND INTERNAL CONTROLS
Your internal control program is about managing and controlling risk. Internal controls usually are thought of as methods used by the CFO to safeguard organizational assets, protect the reliability and integrity of financial and accounting information, ensure compliance, promote effective and efficient operations, and achieve business goals and objectives. Many employees and perhaps even some managers will give you the “deer in the headlights” look when you ask them to explain how they contribute to the internal control program.
While they may know there is a requirement to gather information used by senior managers, they may have no clue as to why or how the information is used. This is a sign that your risk management program is not sufficiently integrated throughout your organization.
Organizations experiencing this type of disconnect between senior management’s desire to have robust internal controls and lower levels not understanding those controls or their intent will have trouble on their hands. We contend that internal controls are not just the realm of the CFO; they apply to every manager and every employee in the organization.
Your internal controls should help you to manage and control change in your organization. While every organization is different, most use policies and procedures to guide actions to support the organization’s strategic direction and plans. Incorporating change management processes into your internal controls program will bolster the effectiveness of your controls, help make your business more efficient as you improve management visibility into the total cost of ownership, and enhance your security posture as you reduce risk presented by the unexpected consequences wrought by changes.
We recommend you implement tight controls over how changes are made to your system configurations. The security of your information relies heavily on the proper configuration of your system. If your system is not properly configured, bad things can happen fast, causing huge problems for you and your business. Take, for example, what happened when a technician in Sweden misconfigured a device during routine maintenance.
The technician introduced an error that caused all domain name system (DNS) lookups for the entire country of Sweden to fail. DNS is a terrific protocol that allows computers to convert a plain language address such as www.post-gazette. com to an IP address (18.104.22.168), which computers use to identify each other and exchange information. Without DNS capabilities, you would have to manually address every transaction using your destination’s IP address, which is awfully inconvenient as most people do not maintain a contact list containing the IP address.
Do you even know the IP address of your computer?10 Most folks don’t and when the Swedish technician misconfigured the DNS service, the entire country effectively lost its Internet capability for an hour!11 During that hour, the Swedes lost their ability to surf the net, send and receive emails, conduct electronic business, use Internet-based media, and use Internet-based phone services.
While the Swedish technician was performing his maintenance on a device serving the entire country, consider the consequences of system configuration mistakes created by your technicians. What would you do if one of your technicians disconnected your business for an hour or more? What would you do if one of your technicians disconnected someone else’s (how about everybody’s) business for an hour or more?
Misconfiguration in software can be equally devastating and require thorough controls. Take, for example, the so-called misconfiguration of Facebook software that allowed bad actors to gain information from compromised email accounts harvested from exposed “Friends” lists to launch spear-phishing attacks.
Attacks like these are particularly nasty as they come in from the email accounts of your legitimate friends and usually contain attachments and links that contain or lead to sites that can poison your system or rob you blind. Because of the increased threat posed by these bad actors, as a policy, we refrain from clicking on links contained in emails and only go straight to the source to protect us from malicious sites. Perhaps you should too.
What would happen to your business if your software was misconfigured? According to the NSA, misconfigured software is responsible for over 80% of cyber attacks they are sent in to clean up. Not only do software misconfigurations expose you to possible attack and exploitation, they can take your business off-line.
How much does it cost you when your systems are off-line? Do your customers leave you to go to another source? Do you have to compensate your partners when you are unable to fulfill your commitments? What happens when your software at home is not configured properly?
Does your home computer contain valuable information you want to be protected? Are you exposing more than just your family photos to potential bad actors? You have a lot at stake when making changes to your software. You need to protect yourself and your business by making sure that software changes are done properly and will not negatively affect your business.
Web pages: Don’t forget web pages. Changes in web pages also have to be tightly controlled through your change management process to control your risk. Your web pages may be your principal means of communication with your clients, a dispersed workforce, and even your suppliers and partners. They likely are a major source of revenue as they may be the primary source of your sales through e-commerce methods. You have to tightly control any changes to your web pages.
How do you prevent changes in your web page from introducing an XSS vulnerability? What if your website has an XSS vulnerability? What is your liability to your customers? What if an attacker executes a script that compromises your web server, reveals valid user credentials, and gains entry into your corporate network?
Is your network sufficiently segmented to protect your intellectual property and trade secrets even if your web server is compromised? Even if your website is secure now, could a patching change or misconfiguration suddenly expose you to risk? Your change management process needs to ensure that any changes to your system preserve the integrity of the system to protect against attack and exploitation.
Not only should your change management process preserve the integrity of your system’s security, but also it needs to preserve the integrity of the information presented.
Your website is your digital storefront. We are biased when we visit websites rife with typographical and syntax errors. If a website owner can’t deliver proper grammar, how can we expect they deliver effective security? These are the types of businesses we pass by and move on to those who demonstrate professionalism from the moment we visit their digital storefront until the time we leave it. Maintaining the integrity of information should be a top priority.
We’ve identified that you need to tightly control changes to your system configurations, software, and web pages. You also need to control the data exchanges you make to preserve the integrity of the data you share with partners and that which you receive.
Many businesses, particularly large businesses and those specializing in logistics functions, use electronic data interchange (EDI) to accelerate the velocity and precision of their business. EDI eliminates many cumbersome manual processes as businesses share electronic documents, such as purchase orders, invoices, and shipping information, with their business partners. This type of electronic information management is proven to reduce business costs as information is standardized and the handling of forms and reports is automated.
EDI vendors are proud of the fact that human error is minimized as the computers do all the work in processing routine forms and reports. They are also proud that electronic business transactions are more secure than normal paper transactions because they are protected using data encryption.
Encryption requires the business partners to agree, as part of their contracts, upon common encryption techniques that enable them to freely exchange the information. Use of encryption is now so common that any EDI transaction not encrypted is viewed as suspect and rejected.
Because so much business now flows using data exchanges, your business likely uses EDI or other electronic exchange of information as a key component of your business partnership game plan. Your business relies on this flow of information to earn profits and maintain your competitive edge. You need to safeguard your information against inadvertent or deliberate changes that could compromise your vital information.
What could happen if a change occurs involving your data exchanges? How could it affect your business? What is the risk to you and your information?
CHANGE MANAGEMENT AS A PROCESS
Change management is a critical component of your risk management program. Executives need to maintain positive control over how plans are executed and policies are followed. Whether you are an executive working in business, in academia, in government, or in a nonprofit organization, your information is a valuable asset that needs to be protected. You need to control all changes that can affect your information.
Cybersecurity professionals will tell you that the fundamentals of cybersecurity are controls that preserve the confidentiality, integrity, and availability of your information. These controls can come in the form of policies, procedures, or technical measures. They are there to enhance your business and its ability to meet your business objectives such as safely creating products that deliver value to your clients and earn profits for your ownership.
Many managers look at cybersecurity controls as technical measures to be turned over to the “technical experts.” To do so would be a huge mistake. Don’t surrender the management and oversight of those controls to your technical staff.
Managing change is a fundamental responsibility of management while executing changes largely is a tactical-level activity conducted by employees under the oversight of management. Many organizations have little visibility into the effectiveness of their change management controls across the IT infrastructure. This lack of visibility can be devastating when changes are not managed and monitored effectively. Reduced availability, compromised information, and lost trust in the integrity of your information, and the systems that process it, could ruin your organization.
The Touhill Change Management Process
We submit that change is best effected when it is accomplished as the product of a well-managed and deliberate process executed by a properly trained and motivated workforce. Executives who lead these changes take proactive measures to make sure that the process delivers the desired effects in a manner that is predictable, reliable, and repeatable.
Do you have a change management process that is predictable, reliable, and repeatable? You may be surprised to find that many people do not have a formal change management process for their IT systems. Many organizations continue to install patches on an inconsistent basis (if at all), send untrained and inexperienced technicians to perform tasks they have never done before, never test software before installation on production systems, and permit technicians to input instructions into critical systems without the requisite checklists or procedures that can insulate the organization from a potential loss of information. They do not have effective management controls over change.
Does that describe your business?
In this section, we are going to share what we believe is the best practice for managing change in an information ecosystem: our process for managing and controlling change. You may look at it and say: “That’s nothing new. We already use a process like that.”
We hope you do.
Nevertheless, there are many executives who use process management techniques to manage risk at the strategic and operational levels but still neglect to use these same techniques to manage tactical actions. Such neglect can have profound adverse strategic effects. As you’ve seen from the anecdotes shared earlier in this blog, tactical actions by your employees can have dramatic strategic effects, and you need to manage their activities as part of your risk management construct.
The change management process presented should not be a startling revelation for you. We hope that you already are using a process like this to manage change in your organization. However, we wouldn’t be surprised if you are not using such a process to manage changes to your hardware systems, software patches and upgrades, web pages, and data exchanges. You should use your version of the change management process to control change and manage risk.
Following the Process
If you want reliable, repeatable, and predictable results, you need to follow a process. It doesn’t matter if you are manufacturing chemicals, creating machinery, delivering a service, or even implementing cybersecurity controls. Processes are the deliberate steps the user follows to accomplish tasks and achieve desired results. They are the procedures that implement your plans created to complement your strategy.
Let’s walk through a common example that shows how to use a formal process, even when the time is of the essence. It is Friday morning, and your network manager calls you out of a boring meeting going over TPS reports to alert you she just heard from her counterpart at another business that they were just hit by a new zero-day exploit that has taken down their computer systems and possibly corrupted their data. The initial damage report sounds really bad.
You say to her (while trying to look relatively intelligent), “Remind me again; what’s a ‘zero-day exploit?’” She reminds you that a zero-day exploit refers to an attack where there is no warning of the vulnerability; there are “zero days” to prepare to patch the vulnerability.
She tells you the manufacturer just released a patch this morning and the attacker hit your counterpart’s business shortly thereafter. You now recall that’s how many zero-day exploits occur; as soon as manufacturers announce a patch to some previously unknown vulnerability, some knucklehead decides to try to exploit the vulnerability before it gets patched.
She says her counterpart at your competitor called her a few minutes ago to ask for her advice as they had problems installing the patch and their systems are down and will be for awhile while they try to reconstruct their configurations from backups.
You secretly (and shamefully) are delighted and already are thinking how their loss may translate into opportunity for your business when she drops a whopper on you: your operating system is vulnerable to the same kind of attack. Your network manager wants to install the patch right now. Do you tell her, “What are you waiting for? There is a threat out there. Fix it now!” or do you follow your process to determine your best next steps?
The first step in the change management process is identifying what needs to change and why. In this case, you know that there is a vulnerability, a demonstrated threat, and a potential fix. Rather than jumping foolishly in reaction to the issue, you wisely follow the corporate change management process.
You move to the next step and evaluate the situation. What do you know about the attacker? Were they targeting your competitor for any specific reason? Who are they and what were they trying to accomplish? What do you know about the proposed patch? Will this patch prevent the attacker from harming your company?
Hopefully, it will, but what other impacts are there? Will the patch operate in conflict with any of your other software products? Does your staff have experience installing patches like this? What happens if there are any problems in the patch installation? Does the software manufacturer offer technical assistance if you run into problems? You ask your staff how long it would take to develop an installation checklist, train your network personnel, and test the patch and checklist in your test environment. You need facts.
Step three is determining your possible courses of action (COAs). We always like to give our bosses a minimum three COAs, with all of them being feasible, acceptable, suitable, and affordable. After presenting the alternatives, we tell the boss what our first choice is and why. The first COA you may consider is to do nothing. As with all your COAs, you evaluate the pros and cons of the COA. Pros include you don’t have made an unplanned change to your IT environment.
Cons include the potential damage that could occur if your system is unpatched and attacked. Another COA is to patch immediately. Pros include that your system is patched right away, lessening your exposure to potential attack. Cons include that you don’t have time to test the patch, train your staff, or check to see that the patch doesn’t cause some collateral damage that negatively affects an application or key process. A third COA is to continue to operate your IT systems but disconnect from the Internet, where you believe an attacker may be lurking.
This essentially would make your network an intranet and not accessible to outsiders. It also disconnects you from your customers. This may be an acceptable option if you don’t rely on that connection for e-commerce and other revenue generation. It also may be acceptable if the duration of the outage is brief and your risk appetite allows for losses accumulated during the service interruption.
A fourth COA is to accept the risk of potential attack, yet patch as soon as possible after creating, testing, and rehearsing a patching procedure in your testing environment. Your network manager believes it will take her and her staff approximately three hours to create, test, and rehearse the procedure. Usually, her estimates are pretty good.
Step four calls for COA selection and management approval. Because there is a serious threat to your organization, you don’t delay and notify your chain of command. You inform your boss of the current situation and outline potential COAs. Many companies, including yours, use a Change Management Board to control changes to their IT environments.
The Change Management Board is comprised of key stakeholders in the business and includes empowered representatives of key business functions; the general counsel; the CIO, CISO, and CRO; the financial department; marketing; PR; and the IT staff. The board reviews any proposed changes to ensure that sufficient controls have been employed to protect the business and its information from damage.
You invite your boss to join you at the emergency Change Management Board meeting to be conducted in 30 minutes, where you will recommend COA 4 (accept the risk of potential attack, yet patch as soon as possible after creating, testing, and rehearsing a patching procedure in your testing environment).
Your boss approves and directs you to make similar calls to the key stakeholders on the board so they know what is going on and are better prepared to arrive ready to make a decision. When the board convenes, the facts are presented and the COAs debated. Insightful and probing questions are asked, and occasionally, a staffer is dispatched to get an answer if it is not immediately known. The culture and values of the organization contribute heavily to the decisions of the board.
So does the risk appetite established by senior leadership. Because there is great confidence in the IT staff due to their proven track record of excellence, the board votes in favor of COA 4 and assigns the network manager to implement the change, noting that since the competition supposedly was devastated by an attempt to patch and your business is similarly at risk, the board believes that the CEO should make the risk decision whether to go with COA 4.
The board normally has authority to approve changes; however, it is not unusual for the board to refer decisions involving a high level of risks to senior management for a final decision. The board chairman, who in this case is the CIO, calls the CEO, briefs him on the issues, summarizes the situation and board deliberations, and asks for CEO concurrence. Because the CEO has knowledge of and confidence in the process, he approves the board’s recommendation and directs COA 4 to be implemented immediately.
Fresh from COA selection and management approval, you are ready to move forward with COA 4 with step 5: implementing the change. Your PR specialist follows corporate policy by sending out a corporate-wide email notice of the proposed emergency patch along with information provided by the technical staff that identifies what will happen, why it is necessary to patch, when it will occur, what the expected results are, and what the staff should do if they detect any adverse effects.
Similarly, the sales and marketing team is calling key business partners to give them a heads-up of the proposed change. They use a script that has been coordinated through PR, the technical staff, and general counsel to give just the right amount of accurate and informative information. Too much would be overkill and potentially shake the confidence of your partners. In fact, the courtesy call to the partners reinforces in their mind that your company is professionally managed and that you called to inform them of any actions that could possibly adversely affect them.
They greatly appreciate the sharing of information and are now taking action to patch and protect their systems. They promise to share with your company any issues they may see. Good news arrives with a call from your network manager, who reports that her team created a checklist based on the manufacturer-provided patch instructions and her team successfully installed the patch in your test environment. They tested each application in your software inventory to double check they were not negatively affected by the patch and found no problems.
You prepare to go home ready to enjoy the weekend because your systems and their information are fully operational, are generating lots of business, and are secure. You have confidence they are effective, efficient, and secure. Meanwhile, your counterpart at your competitor is valiantly trying to recover from a change gone bad. As you log off your computer and clean your desk during your end-of-day security procedures, you think, “Whew! Sure glad we had a change management process and got that patch online correctly.”
If you and your business were confronted with a similar situation, how would it be handled? Do you have a well-documented and rehearsed process or do you rely on ad hoc procedures? Who approves changes and how is risk management incorporated into those decisions? When changes are made, is it well known who is in charge and responsible?
In organizations that do not have a well-defined and disciplined process, the only way you find out who is responsible is to count whoever has the most fingers pointed at them. We prefer to know roles and responsibilities before changes occur.
We also insist on communicating changes well in advance. Your process should inform who needs to be notified of any changes, including those internal and external to the organization. After you make the change, ensure that you assess how well you did. Conduct vulnerability scans to see if any new vulnerabilities have emerged.
Depending on the magnitude of the change and the value of your information, consider investing in penetration testing or even red teams. You may want to even consider a full audit of your plans, policies, and procedures to make sure you are well postured to protect your shareholder’s interests and that of the company.
Using a process to manage change in your organization has many benefits that we believe outweigh any costs. While many argue that processes increase bureaucracy, well-managed processes are inherently more effective and efficient than ad hoc procedures that are not reliable, repeatable, and predictable. They also better protect you from risk by delivering more secure solutions to your most important problems. If you don’t have a change management process, now is a great time to invest in one.
Have a Plan B, Plan C, and maybe a Plan D
Sometimes, you encounter situations that you didn’t expect. Do you sit gob-smacked or do you have a backup plan? What happens if your best-laid plans go awry? Recall our previous advice: “Be Prepared. Have a plan and do things!” We believe it is essential that you always prepare contingency plans as a normal COA. The unexpected happens. Be prepared.
What Plan B actions would you have planned? What would you have done if the patch failed to load properly on the production system despite having worked well on the test system? Do you have a Plan B to “back out” of the installation without harm to the system and its information? Who makes the decision to go to Plan B? When do they make that decision?
What information do they need and how do they get it? Does your Plan B permit you to return to the state or condition you were in before you started the change? If you have to switch to Plan B, who needs to know? What do you tell them? Who tells them? How are they informed (e.g., face-to-face, email, or phone call)? Be prepared.
Be prepared by asking the right questions. What do you do when Plan B to gracefully “back out” of the installation fails? Do you have a Plan C? Does your plan let you know how long it would take to reload the operating system if Plans A and B fail and your operating system was corrupted by the patch?
Do you have the resources to reload the operating system in the event you face this unfortunate situation? Do you need any special reinforcements or technical help? If so, how much would that cost? How much downtime should you expect? What kind of loss are you facing? As with Plans A and B, who needs to know when you are moving to Plan C? Are you prepared?
You should always be ready for the unexpected. Be prepared.
BEST PRACTICES IN CHANGE MANAGEMENT
In our combined 80+ years of executive experience, we have been involved in the formation and execution of numerous change management plans, policies, and procedures. We have been successful yet both acknowledge early failures that turned into valuable learning experiences. Fortunately, our failures didn’t leave a mark and enabled us to improve on our subsequent efforts leading to very successful careers.
Many of our clients ask us to share some of our change management lessons learned and best practices from these experiences to better posture themselves for success and minimize risk. We present them here to assist you as you develop your own change management plans and processes:
Touhill’s Best Practices in Change Management
1. Communicate early and often:
Nobody likes surprises. Every time you make a change to an information system, an application, a web page, or data exchanges, make sure you inform those affected by the change well before you make the change. Anticipate resistance and address fears by clearly articulating why the change is needed and how it will affect the individual. Seek to involve people in the change as opposed to imposing it upon them. Make sure you invest in two-way communication throughout all stages of your change management process.
2. Don’t rush to field crummy products:
If you rush a change that produces crummy results, you are rushing to fail. Crummy results erode confidence and make next steps even more difficult. Carefully balance the demands for speedy delivery of products with the demands for quality products as part of your risk management process.
Decisions regarding timelines and quality are management-level decisions. Make sure that communication is strong between all parties to make certain that risk is appropriately identified and decisions are made with the right information. We’ve often found that adequate results are better than gold-plated results and always better than crummy products that leave everyone disappointed.
3. Timing is everything:
Have you ever had a system administrator take down a service such as your email during the height of the workday because it was convenient for the administrator? We hate that and won’t tolerate that in our organizations. Changes need to be accomplished for the betterment of the organization and its objectives.
In his latest CIO position, the author was challenged by a fellow managing director as to why the IT staff performed maintenance on a key transportation system at 1:30 in the afternoon on Tuesdays. I told him we found that well over 90% of the users of the system were in Afghanistan, and when we asked them when would be a good time to do our maintenance so that it wouldn’t interfere with their operations, they told us midnight leading into Wednesday was best.
Because Afghanistan is 10.5 hours ahead of us in time zones, we did our maintenance at their convenience, during our afternoon. We recommend that when you introduce changes, you do so at the convenience of those affected by the changes. Not only is it common courtesy, but also it is good business.
4. Change only what needs to be changed:
What would you do if you brought your car to the garage for an oil change and when you pick it up the mechanic tried shaking you down for extra money by saying he noticed some other things that needed to be fixed and did the work without your permission?
You probably would blow a gasket and never return to that garage. Why should your network and IT systems be any different? Having a disciplined change management process prevents well-intentioned or plain-old-ignorant technicians from introducing unplanned changes that can actually cause more harm than good. Make sure you have positive control over all changes to minimize the risk of surprises and exposure to threats.
5. Don’t be afraid to ask for help: Asking for help is difficult for many people. They mistakenly believe that it will be seen as a sign of weakness, whereas it actually is a sign of wisdom. In today’s increasingly complex cyberspace environment, asking for help often is not an option; it is a requirement. One of the things theJust like our old friend Edna, nobody likes change. executives do is build effective teams.
When confronted by vexing problems that are beyond the skill or expertise of your team, don’t hesitate to bring in expert consultants to assist. You also can use expert consultants to review (or even create) your plans and procedures. Ensure you protect your intellectual property and trade secrets with outside consultants through nondisclosure agreements and other measures whenever you consult for help.
6. Ensure everyone knows what is going on and why:
Ignorance may be bliss for some people, but it can lead to trouble when it comes to change. As an example, coordinating your maintenance schedule for your automated systems is an essential best practice of change management.
It is very important to make sure that your personnel knows when you will remove their systems from service or perform online maintenance. First, if your proposed maintenance window conflicts with vital business operations, the conflict can be identified and resolved before it becomes a problem.
Second, if a problem arises as a result of the change, informed users are more alert to any issues and can dispatch maintenance personnel faster. Third, knowing what is going on and why permits employees to appropriately schedule their work around the period of maintenance, resulting in higher productivity and less frustration.
The author has a unique example of a change we're making sure that everyone knew what was going on and why was critically important. When deployed overseas in combat operations, the author was responsible for all communications and computer systems supporting allied air forces. Anytime one of our troops was killed in combat, we wanted to make sure that appropriate next-of-kin notifications were made. Face-to-face contact is appropriate.
An email is not. Early in combat operations, we found that emails from the frontline units were beating officers and chaplains to the doorsteps of grieving families. An email as simple as “Honey, I’m fine but Sergeant M didn’t make it. He was killed in an attack this morning.
I think it would be great if you and the other spouses would stop by Sergeant M’s house to see if the family needs anything” dispatched concerned military spouses who would descend upon an unaware spouse while officials deliberately and diligently did the work to confirm the death, describe its circumstances, and gather the appropriate counselors to make official notification.
On more than one occasion, these unofficial initial reports proved incorrect, and the wrong spouse was told of a death that didn’t occur. To better serve our grieving families and avoid leaks and inaccurate reports, our higher headquarters made it policy to suspend all but mission-critical communication from the unit until the family had been properly notified. Web browsing and email services for everyone except the command post were disabled. Morale phone calls were suspended.
We went “comm out” until we received word from the home unit that the family of our fallen comrade had been properly notified. Loss of communications in the military is serious business, and the troops hate any disruptions. Nonetheless, because they understood what we were doing and why, there was no griping, just the solemn recognition that the inconvenience was part of a more important mission.
Maintaining your cybersecurity posture to protect your vital intellectual property and trade secrets or operation of critical infrastructure may be your higher priority mission. The lesson to remember is to make sure everyone on your team and all your key stakeholder and partners know what you are doing and why.
7. Monitor implementation closely: Anytime you make a change, you need to make sure the results are what you want and expect. Do you think someone at United Airlines should have checked their web page before they offered fares ranging from free to ten dollars? How do you check to make sure your changes are effective? Do you have internal controls that call for all changes to be “independently checked” before acceptance and completion?
What happens if something happens in the middle of your change process that indicates that the proposed change is a dud and you need to restore to your previous state? How do you know? Do you have a process for detecting implementation problems? Do you have a Plan B, Plan C, and maybe a Plan D? Successful executives do not rely on autopilot to guide their operations. Monitor your changes closely to ensure they are effective, efficient, and secure.
8. Have a backup and a back-out plan:
“No plan survives contact with the enemy.” The unexpected will happen. Be ready for it with a plan to address when your change doesn’t go as planned. We suggest one of the key questions you should ask when presented with a change proposal is, “What do we do if this doesn’t work?”
Insist that your employees, especially your IT staff, create backup plans ahead of time to appropriately address situations when changes don’t go as planned. Whenever possible, have a plan to back out of your proposed plan when it appears that the change is not going as intended.
For example, you may find in step four of a twelve-step process that the installation of a new software application is not going well. The application may not be able to link with the database. Rather than trying to struggle through with the installation, you decide to stop and back out of the installation.
You go back through steps 3, 2, and 1 to restore the system to its previous state. Once you have a stable environment, you can regroup and take the appropriate next steps. When proposed changes don’t go as planned, don’t stand there with your hands in your pockets wondering what to do next. Take proactive steps now to prepare to address the unexpected. Have a plan.
9. Make sure your plan doesn’t break anything else:
This is critical. The author is aware of certain software patches that wipe out previous security configuration settings; when you install the patch, you have to reset your security settings to protect your information. Likewise, you may find that blocking a port or protocol with the intent to better protect your information may actually deny a vital business function access to an important information source or client that can generate positive benefit for your organization. Your proposed change may have unintended consequences.
That’s why it is important for you to coordinate your plan carefully throughout your organization to minimize the chance that you’ll interrupt an important process, deny an important information source, or break something. Using a Change Management Board helps immeasurably to make sure that all stakeholders are involved in the process of developing the change and will help find any weaknesses in the change that could inadvertently cause it to break something.
10. Be flexible: Most people have pride in ownership.
That can be a good thing when it means they feel a sense of responsibility and commitment. Those attributes are what we look for in the leaders who we assign to manage important processes and tasks. Regrettably, some people take pride in ownership too far and aren’t willing to entertain or accept suggestions for improvements. These are people we pass over when it comes to assigning leadership responsibilities.
Flexibility allows you to respond quickly when Plan A doesn’t work and you have to shift to a contingency plan. Flexibility leads you to welcome suggestions and find better ways of doing business. Flexibility means you are more likely to remain calm and collected when confronted by the unexpected. Change introduces stress, uncertainty, and fear for many people. Don’t be one of those people. Be flexible, embrace change, and lead others to do the same.
Change management is part of your risk management program. Change is inevitable and can be a very good thing when it is managed properly. Change brings you new capabilities, better efficiencies, and creating new ways of doing things. Change erases poor processes rife with wasteful steps, eliminates toxic leadership, and retires substandard products.
Change can also introduce significant risk to you and your organization. In fact, periods of change are where most risk is introduced. Changes in personnel, process, and products represent a great risk to you and your business. You need to manage change as part of your risk management process. At least 65% of all cyber attacks exploit misconfigured systems.
Most downtime is found to be a self-inflicted wound. According to the Yankee Group, an IT research organization, over 62% of all network downtime is caused due to configuration errors. Changes are made to avoid obsolescence, to obtain the best value, and to achieve and maintain a competitive advantage.
Changes not only affect your people, but also they affect your service level agreements, contracts, capacity, and security. You need to carefully manage change to protect against adverse impacts that can affect any of these items.
Internal control policies that specifically address how you manage and control all changes to system configurations, software, web pages, and data exchanges will keep you out of trouble. Ensure that you have adequate controls in place to monitor and manage the change process for each of these important cyber-based capabilities.
Change should be managed and controlled as a process to minimize risk while maximizing benefits. Your change management process should yield results that are effective, efficient, and secure.
Change is best effected when it is accomplished as the product of a well-managed and deliberate process executed by a properly trained and motivated workforce. Executives who lead these changes take proactive measures to make sure that the process delivers the desired effects in a manner that is predictable, reliable, and repeatable.
Managing change is a fundamental responsibility of management while executing changes largely is a tactical-level activity conducted by employees under the oversight of management.
The first step in the change management process is identifying what needs to change and why.
Evaluate the situation thoroughly in step 2 of your change management process. Ask the right questions (and lots of them) to ensure you have a complete understanding of the situation. Evaluate whether you want or need to make a change.
In step 3 of your change management process, identify potential courses of action. They should always be feasible, acceptable, suitable, and affordable. As a general practice, we always recommend giving your boss at least three COAs to consider.
Step 4 of your change management process features management deciding which COA to pursue. Convening a Change Management Board as an integral part of your change management process is a best practice that makes sure that all vested stakeholders participate in the change process. It is important that people feel they are involved in the change rather than having it imposed on them.
Implementing the change is step 5 in the process. Providing as much advance warning of the change to those affected by the change and key stakeholder is essential. Don’t forget to coordinate with key partners. Make your message clear by following an approved script that conveys the essential message but does not reveal sensitive information.
Assign a manager to lead the change and assign specific responsibilities for all change activities. Monitor implementation progress closely and be prepared to back out or implement a backup plan in the event the proposed change does not go as planned.
After you make a change, make sure that it delivers the desired effects. Always conduct vulnerability scans after making changes to your system configurations, software, web pages, and data exchanges. Consider conducting penetration testing, red teaming, and audits after significant upgrades and special circumstances. Be prepared for the unexpected. Have a Plan B, Plan C, and maybe a Plan D ready to execute in the event your Plan A fails or doesn’t go as expected.