Skip to content ↓ | Skip to navigation ↓


A major challenged faced by security leaders is the responsibility to lead cultural change across entire corporations, many times with little support from executive peers. Many security managers look at it as an impossible task, or give their potential influence away to other senior leaders in search of positional authority. Cross-organization cultural change can be challenging, but can be rewarding. The security leader who can successfully enact cultural change stands head and shoulders above their peers in industry.

In the book “Fearless Change,” Mary Lynn Manns and Linda Rising propose a framework for change, and make the observation that change is not dependent upon positional authorityin fact, genuine change is usually independent of any authority at all. The framework they share has two components: the change paradigm, as well as a series of patterns for enacting change.

The key aspects of the change paradigm make up an organization’s ability to change. The paradigm requires a change agent  someone who, regardless of their role or position in the company, is completely committed to the change they’ve envisioned. The organizational culture will significantly impact the rate and extent of change. Organizations who embrace change and reward failure are most likely to experiment and discover new, more effective ways of doing things and are naturally rewarded for their risk.

Finally, change is heavily dependent on having the right people involved in the change, at the right time. From early adopters to laggards, understanding who will ally with a change agenda can literally rescue a good idea from the demise of corporate disdain.

With an understanding of the organization’s change paradigm, the change agent is ready to get started. Mann and Rising propose roughly four dozen change patterns—tools, strategies, and activities the change agent can implement throughout the change process.

Four patterns, however, are effective for the initial phases of change:

  • Test the Waters: by dipping a toe in the water, the change agent can gauge the organization’s tolerance for and reception to the proposed change. With a small investment in time and possibly money, the idea can float and all involved can see whether it will be a success. Borrowing from the world of agile development, the idea of “fail fast” minimizes investment while maximizing the confidence in a successful outcome.
  • Time for Reflection: throughout the change process, the change agent benefits by stepping back and examining the progress made so far. Asking questions like what’s gone well, what should be done differently, and who is attracted to the idea will allow the change agent to focus on success and learn from failure.
  • Step by Step: I once had a manager who kept repeating this mantra: “You can’t boil the ocean.” She knew I had big plans for the team I was leading, and those plans would have a major impact on the company, and she helped keep me grounded in reality. The step-by-step approach to change means that, while you have one eye on the distant goal, your focus is on incremental short-term goals.
  • Small Successes: finally, by testing the waters, reflecting on success, and focusing on the short-term, the change agent or team will have plenty of small successes to celebrate. Change is slow and, without the occasional celebration, can become tedious and at times overwhelming. Many great initiatives have failed simply because the change agent has run out of steam and given up overcoming the inertia opposing them. By planning, recognizing, accomplishing and celebrating little victories. the team maintains momentum and each success adds fuel to the fire.

There are a number of other soft- and hard skills required to drive cultural change across an entire organization, but having the right tools and patterns, and an understanding of the underpinnings for change enable a leader to focus on addressing road blocks.

The call for cultural change regarding security is clear: with breaches happening on a regular basis, and corporate boards starting to pay close attention, companies need to adopt a more aggressive security posture. That starts not with high-dollar technology purchases, but with security becoming part of the company culture. The CISO, CIO and CTO who can succeed at driving this change will have unlimited opportunity in their field.

To learn more about leading change and the skills required to be successful, consider attending my presentation at BSidesSLC on March 20 and 21 in Salt Lake City.


John_OverbaughAbout the Author: John Overbaugh is an experienced information security professional. He holds the CISSP, GWAPT, GSLC and GCIH certifications and is a SANS mentor for MGT 414, the CISSP prep course. John has been in information technology since 1995 and in information security since 1999 when he led the first product group at Microsoft through the secure development lifecycle. As Director of Security for Healthagen, an Aetna company, John was responsible for application security and HIPAA compliance across enterprise, consumer, and mobile solutions. John is the owner and principle security engineer at infoSecure, which specializes in the nexus of consumer, mobile, and application security and compliance.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.