ISACA Journal
Volume 5, 2,014 


Leading Change and Transformation in Information Security 

John Simiyu Masika, CISA, CISM 

“Leaders who successfully transform businesses do eight things right and they do them in the right order.”1

An information security manager engaged by an organisation that has yet to adopt an information security best practices or embrace an information security culture faces a different set of challenges from an information security manager at an organisation that has mature information security practices, i.e., a maturity level where processes are defined, managed, measurable and optimised. But when faced with an organisation where the maturity level of information security governance, programmes and activities is very low, i.e., nonexistent or ad hoc, the information security manager is expected to set up an efficient information security strategy, develop a programme and institutionalise an information security culture.

The change and transformation approach the information security manager takes may determine the success or failure of such initiatives. Whatever approach or strategy is chosen will involve introducing and implementing some changes to processes, technology and employee culture. In short, the information security manager must lead change in information security within the organisation.

Leading change means putting in place systematic processes aimed at transforming the information security management and practices within the organisation.

Change Management

Change management is a set of processes employed to ensure that significant changes are implemented in a controlled and systematic manner.2 One of the goals of information security change management is the alignment of people and culture with the needs of information security best practices in the organisation, to overcome resistance to change in order to increase stakeholders’ involvement and the achievement of the organisation’s information security goal.

Information Security Responsibilities

The current Certified Information Security Manager (CISM) job practice requirements classify information security management responsibilities into four broad domains,3 each domain with a set of activities and knowledge statements. The information security manager’s immediate goal is the implementation of various tasks in the four domains within the shortest time possible:4

  • Information security governance:  Establish and maintain an information security governance framework and supporting processes, and ensure that information security strategy is aligned with organisational goals and objectives, information risk is managed appropriately, and programme resources are managed responsibly.
  • Information risk management and compliance:  Manage risk to an acceptable level to meet the business and compliance requirements of the organisation.
  • Information security programme development and management:  Establish and manage the information security programme aligned to the information security strategy.
  • Information security incident management:  Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimise business impact.

To successfully implement the tasks of the four domains, the main challenge will be to lead change and transformation initiatives when introducing information security best practices and culture within an organisation. As a leader, a new information security manager will find that change and transformation initiatives are messy and their success relies much more on soft skills than technical skills. According to John Kotter, change and transformation initiatives fail because they are not systematically structured.5

Kotter has been observing the process of leading change and transformation for more than 30 years, and he believes that there are critical differences between change efforts that have been successful and change efforts that have failed. For any change and transformation to succeed, Kotter identifies eight critical steps, which he calls the Eight-stage Process for Creating Major Change.

Just like any other change and transformation initiative, introduction of information security principles and best practices in an organisation ought to be structured. Information security managers should consider the following eight steps when leading information security changes and transformation. These steps, adapted from Kotter’s eight steps to leading change, should be worked through in sequence. Skipping one or more steps to try and accelerate the process may cause problems.

  1. Establish a sense of urgency for information security. As the one leading change in information security, the information security manager needs to create a sense of urgency in the business. Motivate top management and business units by linking the benefits of information security with industry requirements and market trends, competition, and the need for compliance with regulatory requirements. Creating a sense of urgency is necessary to motivate key stakeholders and ensure that they put forward aggressive cooperation. A sense of urgency can be increased by giving presentations to all stakeholders and including references to judicial litigations involving information security incidents within the industry nationally and globally.
  2. Form a powerful guiding coalition. Information security management requires a stakeholder approach. The information security manager needs to identify the key stakeholders in the organisation whose responsibilities facilitate the information security manager’s duties or overlap with his/her responsibilities. Form a coalition team that will champion information security within the entire organisation, business units or branches. It may be necessary in situations where the information security manager does not sit at the executive table that this team is led by a top-level executive who has greater influence and authority at the executive level. The team should have enough energy and authority to lead information security change efforts. Encourage this group to work as a team and implement periodic brainstorming sessions.
  3. Create an information security vision and strategy. Information security managers need to create a vision and information security strategy to guide information security operations. Anchor the vision and strategy to the enterprise strategy and develop an information security programme to actualise the vision.
  4. Figure 1Communicate the information security vision and strategy. Communicate and share the vision and strategy with top executives and the employees of other business units. Use the coalition team created in step two to communicate the vision throughout the organisation. Use posters, intranet and a web site to educate employees on the strategy and how it fits with the overall business strategy. Make it a habit to have the information security vision precede any other content during PowerPoint presentations on matters of information security.
  5. Empower employees to act on the information security vision and strategy. Information security managers must empower all stakeholders to play their role and act on the information security vision. Identify and remove obstacles that may hinder adoption of information security by employees. Achieve this by revising IT policies, offering education and awareness training, and restructuring.
  6. Plan and create short-term quick wins for the information security strategy. Plan and create short-term quick wins to show stakeholders that, indeed, the vision is achievable. This will help them begin to feel the positive impact of making changes and keep them motivated. Identify those initiatives that can be implemented within the shortest time and require a small budget, but have a greater impact on business, and make them a priority.
  7. Consolidate information security improvements. Small improvements will be noticed at the initial stages. However, information security managers should not declare victory with the first few performance improvements and quick wins. Premature celebration of improvement may kill the momentum and demotivate the coalition team. Instead of celebrating short-term improvements, ensure that information security programmes, structures, culture, ethics and behaviours have been institutionalised within the business.
  8. Institutionalise new approaches. Institutionalising new approaches to information security means that you must anchor information security changes into an organisation’s culture and ethics. Unless new behaviours are rooted in the social norms and shared values of the organisation, stakeholders may be subject to falling back to old behaviours. Ensure that succession arrangements have been put in place for the coalition team formed in step two.

Figure 1 provides a mapping of Kotter’s eight-stage process and key information security initiatives at each stage.


The key responsibility of a new information security manager is to lead change and transformation in information security within an organisation. Unless the change management approach is structured to fit the needs of the organisation, it is bound to fail. Kotter’s eight steps to leading change can be utilised to guide the adoption of information security in an organisation that has a non-existent or ad hoc information security maturity level.


1 Kotter, John P.; “Leading Change: Why Transformation Efforts Fail,” Harvard Business Review, 1995
2 The University of Adelaide, Leading Change, Transition and Transformation: Guide to Staff, 2011
3 ISACA, CISM Certification Job Practice, 2012,
4 Ibid.
5 Op cit, Kotter

John Simiyu Masika CISA, CISM, is the information security manager at Housing Finance, Kenya. Masika manages information security, IT controls and risk. He has 12 years of experience in IT operations, assurance and compliance in the public and private sectors.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.