Implementing Enterprise Visibility by Leading Change

I've been advocating increased digital situational awareness via network security monitoring and related enterprise visibility initiatives for several years. Recently I read a Harvard Business Review case study called Leading Change: Why Transformation Efforts Fail by John P. Kotter. His eight stage process for creating a major change include:

  1. Establish a sense of urgency.

  2. Create a guiding coalition.

  3. Develop a vision and strategy.

  4. Communicate the change vision.

  5. Empower broad-based action.

  6. Generate short-term wins.

  7. Consolidate gains and produce more change.

  8. Anchor new approaches in the culture.

Failure to follow these eight steps often result in failed change efforts. Kotter notes for item 1 that the goal is to make the status quo seem more dangerous than launching into the unknown... When is the urgency rate high enough? [T]he answer is when about 75% of a company's management is honestly convinced that business-as-usual is totally unacceptable. Consider that level of commitment when trying to rally support for improved digital security!

For item 3, Kotter advises if you can't communicate the vision to someone in five minutes or less and get a reaction that signifies both understanding and interest you are not yet done with this phase of the transformation process. "Botnet, C&C channel, rootkit, Trojan, what??"

For item 4, Kotter says transformation is impossible unless... people are willing to help, often to the point of making short-term sacrifices. "You mean I have to schedule an outage window to deploy that network tap so you can observe traffic?"

For item 5, Kotter counsels communication is never sufficient by itself. Renewal also requires removal of obstacles. "We're sorry, we just don't have enough space in our data center for your equipment!"

For item 6, Kotter states Real transformation takes time, and a renewal effort risks losing momentum if there are no short-term goals to meet and celebrate. Most people won't go on the long march unless they see compelling evidence within 12 to 24 months that the journey is producing expected results. Without short-term wins, too many people give up or actively join the ranks fo those people who have been resisting change. I think that is a compelling point; find something useful, fast.

For item 8, Kotter writes change sticks when it becomes "the way we do things around here." For me this means Building Visibility In. For example, no new network link is deployed without a network tap. No new application is activated without a logging mechanism enabled and logs being sent to a central collection point. It is possible to enforce this behavior via mandate and procedure, but it is preferable for the need for these activities to be recognized as essential to success.

If you want to read the whole case study it appears in several forms online thanks to Google.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics