Change: Turn And Face The Strain

The Italian political philosopher Machiavelli had this to say about change back in 1532 (The Prince, Chapter 6; emphasis added): 

"For the reformer has enemies in all those who profit by the old order, and only lukewarm defenders in all those who would profit by the new order, this lukewarmness arising partly from fear of their adversaries, who have the laws in their favour; and partly from the incredulity of mankind, who do not truly believe in anything new until they have had actual experience of it. Thus it arises that on every opportunity for attacking the reformer, his opponents do so with the zeal of partisans, the others only defend him half-heartedly, so that between them he runs great danger."

But this being the namesake of Machiavellianism, he didn't shy from identifying what really had to happen:

"It is necessary, however, in order to investigate thoroughly this question, to examine whether these innovators are independent, or whether they depend upon others, that is to say, whether in order to carry out their designs they have to entreat or are able to force. In the first case they invariably succeed ill, and accomplish nothing; but when they can depend on their own strength and are able to use force, they rarely fail. Thus it comes about that all armed prophets have conquered and unarmed ones failed; for besides what has been already said, the character of people varies, and it is easy to persuade them of a thing, but difficult to keep them in that persuasion. And so it is necessary to order things so that when they no longer believe, they can be made to believe by force."

Whew!

When it comes to process change, all organizations have doubters; some have saboteurs who as Machiavelli noted '"profit by the old order" -- that is, they have made 'the way we used to do it' or 'I now better and I need to get this done now' work for themselves and create the belief that change agents are the problem, not the change resistors.

Cybersecurity is everyone's business but it stays no one's concern until executives, acting on behalf of their own interests, create and enforce change. Our approach emphasizes that risk management requires relationship management. Executives create the strategy and rationales for the change which in turn empowers managers to create the terms for the cybersecurity relationships, which are either cross-functional comparisons or teaming. The implementation process is created and enforced by the CISO along with line managers. We use our unique BARC process to identify misalignment across business units. Think of misaligned cybersecurity practices as potential cybersecurity hot-spots.

Good management requires good cybersecurity management, and good cybersecurity management means getting people to forego their own misaligned practices to create strong relationships across the enterprise. Machiavelli would understand this.