Change Management Initiatives in Information Security and Information Management

If you’ve been following my recent blog posts, you know that I’ve been writing on the various components of Doculabs’ information management program framework—i.e. what you need to do to execute information management successfully and help minimize the impact of a breach. Change management is also now a big part of information management.

Information Security executives must now address information management.

Doculabs developed this framework because, increasingly, the day-to-day practice of the Chief Information Security Officer (CISO) now requires addressing information management—i.e. making sure corporate repositories contain as little sensitive data as possible.

The five components of the framework are as follows:

In this post, I’m down to the last item on the list: change management.

Change management is the most overlooked aspect of information management.

Change management is typically the most overlooked aspect of information management. Think back to rollouts of information management systems at your organization, especially SharePoint, and consider the level of change management support that was provided.

The reasons those systems typically failed to deliver the promised results aren't difficult to identify. You can’t change the way everyone works with their day-to-day business documents unless you over-communicate and provide ample training.

Here’s an idea: When planning for any rollout of new technology, try replacing “[name of new software product]” with “SAP” or “Salesforce,” and see whether your planned course of change management makes sense—as in “we’ll roll out SAP/Salesforce and give users a link to a training video.”

Information management should be viewed in a manner that's similar to any enterprise platform.

Information management systems are enterprise platforms, on par with SAP or Salesforce, and they deserve the same time and attention to change management as you would allocate to a rollout of SAP or Salesforce in order for the information management system to succeed.

Without that time and attention, you run the risk of having all your information management efforts fail. Or worse, you risk souring the organization on the value of information management in general—something that, to be effective as a CISO, you cannot afford.

Develop a matrix and a schedule for communications, training and stakeholders.

At minimum, we recommend your approach to change management include the following items:

  • Develop a stakeholder matrix. Who are the key stakeholders that need to be informed of the change and managed throughout your information management initiative?
  • Develop a communications and training matrix. What are the key communications and training events required to manage the changes in information management? When do the events need to be delivered, and to whom? What are the most appropriate vehicles for delivering communications and training to various stakeholders and user groups?
  • Develop a schedule of communications and training. When do you need to execute the planned training and communications events?
Download the Transforming Information Security with Information Management White Paper
Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.