I read a good article a few weeks ago, by Tom Mendoza of NetApp called 6 Powerful Ways to Embrace Change. It’s worth the short read.

It got me thinking about how the Information Security industry is really in the business of change management. Change management seems a business term for “doing everything you can to avoid embracing change”. I’m going to take Tom’s 6 ways and rewrite them from an information security perspective.

1) Don’t look back

Unfortunately, in the information security industry, not looking back is a sure key to failure. If you don’t continue to address the risks presented by your legacy system which no longer gets security patches, or pay attention to information that was long ago shared with a now-defunct business partner, you run the risk of exposing your sensitive information. You need to continually look back and manage the old while continuing to address the new.

2) Ask yourself, “What’s next?”

This is an important strategy in information security. For two years now, the drumbeat in information security has been around “the cloud”. Well, people have already moved to the cloud, and they are still trying to figure out if they’ve done it right, if their information is safe, if they will be able to keep functioning in an emergency. We should have been solving the problems of the cloud 10 years ago, just after Amazon announced the release of AWS.

3) You must be bold

Dreaming big is hard to do in the information security industry. Nobody really wants the security people to get involved because they cost money, they slow things down, they make people nervous. Information security folks that dream big and think of bold contributions to make are often shown the door, or told not to rock the boat.

4) What about your people?

What people? According to one study, nearly two-thirds of companies are understaffed in their information security departments. It is hard to embrace change among people when you are consistently lacking the manpower necessary to do your daily work. Instead, you may suffer along with the same semi-productive individuals because at least they are taking something off your plate.

5) Embracing change can be intimidating

For this point, I agree entirely with Tom as he wrote “Aging well as a person—or as a company—is based on two things, curiosity and a desire to get better; to excel.” The information security industry does not seem to have enough of either of these things working for it – curiosity and desire. We need to learn to embrace those things more.

6) How can you put this in a business context?

What are we as an industry getting better at? Creating lists of checkboxes? Charging monthly subscription fees? Creating job security for ourselves? The change in the IT industry is rapid, and by constantly lagging behind, information security continues to make itself an impediment rather than a valuable member of a highly functioning IT organization.

In my opinion, it is time that the information security industry gets out of the business of change management, and into the business of managing to change.