Navigating Change: The 5 Stages of Security Control Acceptance

Change, even when embraced, requires adjustments within organizations and their workforces. The changing and evolving threat landscape and frequency of attacks has highlighted the need for organizations to continue implementing new security controls—and mature existing ones. The capable adversary is motivated to circumvent and defeat organizations’ existing security controls to achieve its goals. When implementing new security controls within an organization, the impacted individuals can easily become unsettled due to changes in work practices, removal of entitlements, and perceived negative outcomes and inefficiencies that are often associated with changes to security controls.

The key to navigating change associated with the implementation of new security controls and the maturity of existing ones is to understand the potential impacts of the changes. It is important to recognize and understand the emotional journey that the impacted individuals will navigate as part of the change to realize the intended benefits to the organization. The concept of the 5 stages of grief can be a useful reference to help risk and security professionals understand concerns and assist in the navigation of change often associated with the adoption and acceptance of security controls. The following are 5 key considerations when navigating the stages of security control acceptance:

1. Denial—Denial is often the first reaction of an impacted individual when asked to adopt and accept new or enhanced security controls that force a change in their behavior or remove an entitlement from them in which they currently find value. While this reaction may be short lived, it still occurs often, especially when the impacted individual recognizes that this will force a change to their existing work practices in a way that does not make immediate or obvious sense to them. Denial helps them cope with the initial shock and awe period, where they often feel helpless because something is expected to change in their work behaviors and/or practices that is out of their control.Navigating the denial stage of change associated with new and/or enhanced security controls requires positive and consistent reinforcement to the impacted individuals. It is critical for them to understand or appreciate the change at this point. However, it is important to reinforce that the change will occur. Otherwise, a risk can be realized in which the impacted individual may attempt to circumvent the new or enhanced security controls while trying to continue with their current work practices that they appreciate, understand and in which they take comfort.
   
   
2. Anger—In the anger stage of security controls acceptance, individuals often actively or passively express their unhappiness and discontent associated with implementation. During the anger stage, individuals are likely to create irrational scenarios and concerns to support their position of why the new or enhanced security controls do not need to be implemented and may even cause harm and/or create inefficiencies within the organization. The anger stage is often a critical point where vocal and influential individuals can negatively influence their peers and constituents to align with their beliefs.Navigating the anger stage often requires listening to the impacted individuals to ensure that they feel as though their opinions are being heard instead of being ignored. It is important for the risk and security professional to try to maintain trust and goodwill with individuals in the anger stage. At this stage, it is not suggested that a risk and security professional attempt to change the views or opinions of the impacted individuals. This type of activity will often just increase their anger and extend the anger period. Instead, the risk and security professional should stand firm in their position that the new or enhanced security controls will be implemented and offer to have constructive, detailed conversations to explain why the new controls are needed.
   
   
3. Bargaining—Bargaining is often an early sign of eventual acceptance, as the impacted individuals are realizing that the change will eventually occur. At the same time, these groups do not want to feel disempowered as part of the change. They will often attempt to bargain to try to maintain some degree of control and consistency within their current work practices. At the bargaining stage, impacted individuals often try to propose compromises or alternative options to the proposed new or enhanced security controls that make more sense to them. They often try to convince the risk and security professional that these capabilities will provide the same level of risk mitigation and enhanced security without causing material impacts to behavior or work practice change.Bargaining is often associated with risk management and acceptance. The impacted individuals often try to find alternatives to the proposed security controls that they feel will reduce the impact of the changes associated with them to be more digestible and acceptable. It is important for the risk and security professional to provide the impacted individuals accurate and credible security risk assessments supported by comprehensive threat and vulnerability analysis. This helps them accurately depict and support the reasoning and justification for the new or enhanced security controls and expected behavior changes.

3. Depression—The depression stage is a delicate time where the impacted individuals may feel vulnerable, defeated and unhappy. This stage often includes fear and uncertainty about the potential impacts once the new or enhanced security controls are implemented. This fear of the unknown and sense of defeat can result in reduced interest in supporting the risk and security goals of the organization, which can create more vulnerability to the organization if not carefully navigated. The key to supporting impacted individuals during the depression stage is constant reinforcement of the future positives to the risk and security professional. While there may be some short-term discomfort, inefficiency and adjustments, the benefits that result as part of the introduction or enhancement of the security controls will, ultimately, reduce or manage identified risk areas more effectively. To shorten this phase, risk and security professionals can refer to case studies or examples with which the impacted individuals had previously experienced concerns that resulted in positive outcomes, even when there was initial reluctance to adopt new or enhanced security controls.

4. Acceptance—The final phase, acceptance, occurs when the impacted individuals realize that the new or enhanced security controls will be implemented regardless of whether they agree with the decision. Risk and security professionals should not view acceptance as agreement or support from the impacted individuals, however. The acceptance stage still requires significant and consistent reinforcement of the value and benefit of the security controls. This helps ensure ongoing adoption and positive feelings as business-as-usual operation resumes within the organization.Navigating acceptance should include communicating appreciation to the impacted individuals for their adoption and acceptance of the security controls. This is often a fragile and sensitive period where they need to feel that acceptance has not been thrust upon them by the organization, and their willingness to change is appreciated. Without these individuals’ support for the security controls, there is a higher risk of failure and negative outcomes instead of the positives they are designed to provide. Offering to provide metrics that objectively demonstrate the benefits of the newly implemented security controls can reinforce their value and assist in gaining ongoing support from the impacted individuals (e.g., a risk assessment that includes inherent and residual risk components that clearly shows how the organization’s security posture has improved).

Change is inevitable in organizations, and the need to adopt new security controls and strengthen existing ones is imperative in the current threat landscape. In some cases, implementing security controls requires adjustments in work processes and the removal or adjustment of entitlements for individuals. It is often difficult for individuals who are used to being able to undertake activities they perceive as being appropriate and benign to have these activities adjusted or taken away from them in the name of security. To successfully navigate change, it is important for both risk and security professionals to understand its psychological impacts. With this knowledge, they can appreciate both why impacted individuals react as they do when security controls are implemented or strengthened and incorporate this understanding into their approach plans to achieve better outcomes.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.