The frozen middle and the tentacles of change: security-conscious transformation

In this blog, we highlight Liz Murray’s best insights from Stratia Cyber’s first-ever webinar ‘Why clear goals and a people-first approach lead to secure transformation’

In times of technological transformation, organisations need a non-executive director advocating for the change, says Liz Murray, Global Security Culture and Awareness Lead at FNZ. 

Advocating for cybersecurity needs to come from a ‘non-technology person’ at the very top of the organisation, so that ordinary people within the organisation can be made aware of issues around security and transformation without being scared, she says. The messaging needs to be targeted particularly towards people who are not good with tech: if something is not usable to the people who are ‘non-tech’, it’s not usable at all. 

Liz believes that problems start to creep in when there’s a division between the ‘tech people’ who are managing the technological change and the rest of the organisation. 

Liz says, “You need to get that security message out, and reassure people: ‘This is happening, here’s what it means for you. It’s not going to be frightening: it’s going to be very easy to use.’”

Driving change from board level

Security is not easy, Liz says. Often problems begin because security isn’t driven from board level: the CISO sits slightly below the board in many organisations. If one of the non-executive directors says security is vital, then it becomes important to the whole company. This is crucial because if security messaging isn’t included, it gives off an implicit message that security is something that can be safely ignored. 

Liz says. “If you’re saying we need to be better, be faster, deliver more, but you don’t say, ‘securely’, people will deliver better, faster – and then they will ignore cybersecurity, because they feel it isn’t important.”

The frozen middle and its chilling effect

But problems creep in when end users have not been given any information – which can lead them to feeling that the change is something that has been ‘done to them’. This can lead to a fearful and ‘frozen’ middle, Liz warns. 

Technological change is often easy (sometimes as easy as selecting a tick-box). But if you flick a switch in an application, you might have end users who are left unable to do the work they were doing 24 hours before. This leads to negativity. 

“The last thing you want is for those people to become your frozen middle. In a large organisation, a frozen middle can completely stop stuff if they don’t take it on.” Liz revealed that she’s seen this happen before.

The key to preventing a ‘frozen middle’ is communication. She warns that project teams often get created (or drafted in) then start to do a transformation project without thinking about when they need to speak to the people who will be affected. Often this crucial step is left until far too late in the process. 

When people decide they are not going to engage, it can bring everything to a halt, so you need to make everything clear in language that is accessible. 

Liz says, “When we use language like multi factor authentication, phishing, vishing, smishing, they are all so alienating: it’s a fake text. It’s a confidence trickster. If we start to talk in those kinds of terms, when we’re talking about basic stuff that helps us when we start to talk about the more technical things. 

Plain language – even around technical subjects – is one of Stratia Cyber’s core values. 

“There’s some value in getting hold of the people who are the biggest dissenters to start with. So they speak up and explain why they think it’s not going to work: ‘Oh, we’ve tried this before – this won’t work.’”

Getting hold of those people and offering them a forum to be heard is useful: without the buy-in of the people who’ve been in an organisation a long time and who have been operating in that environment, things can grind to a halt quickly. 

Instead, it’s crucial to get those people involved at the start, and ensure they are on board with the change – and let them feel that they have been heard. 

Spreading the tentacles

Liz says, “If you have someone in the organisation who goes, ‘You know what, I understand how that is going to work for us, I will help the rest of the department,’ all of a sudden you are spreading the tentacles of the change that you are initiating and moving to the end goal.”

If you have someone who is enthused about it, keep them informed: this pulls them into a group of trust and that then pulls their motivation up,

Liz says, “You need advocacy at all levels from the board down.”

The key thing is to understand that there WILL be negative commentary – and find out what it is, address it and turn it into a positive. You can use this to your advantage – and deliver plain-speaking messaging that hits and lands from board level, ensuring a successful, secure digital transformation. 

About Liz

Liz Murray made a successful transition after a 20-year military career to cyber security in Financial Services in 2018. Initially spending 2.5 years with HSBC, before moving to her new role as Global Security Awareness and Culture Lead, FNZ in May 2021. Liz specialises in building protective security cultures through creating, and delivering, human factors based awareness and education campaigns that support business objectives whilst operationalising policy for global users. Very much a people person first, Liz is also a Suicide First Aid Instructor, Human Resilience specialist and Mental Health First Aider.