Change management is no longer a one-time event, but an ongoing activity for many organizations. According to Gartner research, “Organizational change is no longer a single event experience. Instead, organizations are attempting to adapt through multiple, simultaneous change initiatives.”
Even for CISOs, who are perhaps not directly responsible for change management, the ability to adopt new technologies or change behavior impacts their ability to achieve key objectives. Some of their top priorities – including user access/IAM and the secure implementation of AI – require some level of change management.
We wanted to know what CISOs think about change management at their organizations. Here is what we learned from a survey of 225 CISOs across Evanta communities.
Are they currently working on change management initiatives?
While 71% of CISOs say they are currently working on an initiative that requires change management, 21% of security leaders report that they are not. CISOs are the role with the highest percentage of executives who are not currently engaged in change management initiatives among the C-suite roles that we surveyed.
We asked CISOs in our survey what kinds of initiatives required change management, and security executives responded with answers ranging from AI adoption to cloud migration and from organizational restructuring to new product implementation.
What is their role in change management?
In our survey, CISOs appear to be involved in change management at somewhat lower rates than other executives, with 61% saying that they provide strategic direction, and 52% indicating that they communicate and engage with stakeholders. Another 48% report that they monitor the progress of change management initiatives, while slightly less than half of CISOs (45%) say that they lead the initiatives.
What makes change management successful?
Forty percent of security leaders believe that executive leadership or sponsorship has the most impact on change management initiatives. The next two biggest factors were communications and providing context for change (22%) and employee engagement (20%).
How much are their organizations investing?
Forty-seven percent of CISOs report that their organization has made a “moderate” investment in change management, and 27% say that the investment level is “low.” Very few security executives say their organization is not investing in change management at all (3%).
How confident are they in their organization’s capabilities?
Overall, CISOs have a high level of confidence in their organizations’ change management capabilities, with a combined 96% reporting that they are either “somewhat confident” (65%) or “very confident” (31%). Only 5% of CISOs are not confident in their company’s change management capabilities.
Barriers to Change Management Success
In our survey, we asked CISOs what they view as the challenges to change management success at their organizations. Their answers ranged from cultural resistance and a lack of effective communications to employee engagement and competing priorities.
Here is a sample of their responses:
We can't slow down the pace of changes, and we have resistance to change.”
Allocating resources. You can’t manage these initiatives ‘off the side of people's desks.’”
Accepting change. Certain individuals believe they should be exempt.”
Getting all employees convinced and engaged in the change.”
Communicating the level of effort, impact and end-user responsibilities required is persistently the challenge.”
Lack of communication, competing priorities, insufficient internal expertise, and timeline slippages leading to confusion about the changes themselves.”
Overcoming Change Fatigue
With change no longer just a one-time event, but an ongoing activity for leaders and organizations, we also asked CISOs how they manage change fatigue. Here is a sample of their responses:
By communicating the end goal clearly.”
By prioritizing and pacing the types of initiatives.”
Celebrating success, positive reinforcement.”
Consistency and delivering a clear value proposition.”
Clearly expressing and communicating the common benefits and showing the results.”
Regular education and addressing context for change. Sharing success stories.”
Are you a CISO impacted by change management at your organization? Explore an opportunity to discuss it with your peers by joining your local Evanta community. If you are already a member, sign in to MyEvanta to find your community’s next gathering.
Based on 225 responses to Evanta’s Community Pulse Survey, November 2024.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
