Cybility Savvy
Cybility Savvy
E14 - A Change manager's view on digital transformation and cybersecurity
šShow notes:
How is digital transformation enabled by change management and cybersecurity?
Michala Liavaag talks with Ket Patel, an accredited Change Manager Master practitioner, about his journey to becoming a cyber savvy change manager.
Ket has over 20 years of experience leading change and transformation within Financial Services, Technology and Consulting industries. He is also the UK Co-Lead for the Change Management Institute, and host of the podcast The Change Chair.
In this episode, Ket shares the lessons he learned about cybersecurity as a change agitator.
Michala and Ket also trace parallels between the fields of Cybersecurity and Change management.
š Cited in this episode:
Cyber security longitudinal survey: https://www.gov.uk/government/publications/cyber-security-longitudinal-survey-wave-one
Darknet Diaries podcast: https://darknetdiaries.com/
Book Big Magic, by Elizabeth Gilbert Movie MoneyBall, directed by Bennett Miller (2011)
-----
āFound this useful? Please rate and review, as it helps reaching more people
šYou can also subscribe and share on social media
š¬ Contribute to future episodes with your cyber security concerns and questions
š¤Connect with Michala and Cybility Savvy:
ā LinkedIn ā Twitter ā Youtube ā Instagram
---
āš¾Written and produced by Michala Liavaag
š¦Co-produced and edited by Ana Garner video
šµMusic by CFO Garner
-----
āFound this useful? Please rate and review, as it helps reaching more people
šYou can also subscribe and share on social media
š¬ Contribute to future episodes with your cyber security concerns and questions
š¤Connect with Michala and Cybility Savvy:
ā LinkedIn ā Twitter ā Youtube ā Instagram
---
āš¾Written and produced by Michala Liavaag
š¦Co-produced and edited by Ana Garner video
šµMusic by CFO Garner
Welcome to Cybility Savvy, the show that demystifies cyber security for not-for-profit boards and leaders
Michala Liavaag: Hello. Iām your host, Michala Liavaag, founder of Cybility Consulting. Today we're going to talk with Ketan Patel about their journey to becoming a cyber savvy change manager. We'll discuss the ins and outs of digital transformation and cybersecurity from the perspectives of a change manager interested in how technology can enable the business. Hi Ket, thank you so much for joining us today.
Ket Patel: Thanks, it's great to be on here.
Michala: So for those of you who haven't come across Ket before, Ket is Accredited Change Manager Master practitioner. He has over a 20 years of hands-on experience leading change and transformation within Financial Services, Technology and Consulting industries. Ket has a passion for taking lessons identified from projects, industry and personal experience and helping others find ways to apply them to help ensure change benefits are realised, change resistance is minimised and change is adopted and sustained by focusing on the health and wellbeing of all those impacted by change. Ket is also the UK Country Co-Lead for the Change Management Institute ā a professional body dedicated to establishing and promoting best practice in the delivery of change. In his role he works to build relationship with industry bodies and academia in order to raise awareness of the Institute and to share best practice to keep the discussion alive about how we can deliver change better. His other area of interest is social media and facilitating discussion that help the profession to challenge their beliefs and understanding to deliver the best outcomes for those impacted by change. So Ket, for those in our audience that don't know you, would you like to say a bit about yourself?
Ket: Oh God what to tell you? So, Iāve been in technology projects for as long as I can remember. I actually studied Mathematics at university, and one of my kind of ideas was I wanted to figure out a role. I was expected to go into Medicine, and it was probably a bit of a disappointment going to focus on mathematics at university. I really wanted to focus on how you apply mathematics to business problems, and when I left university I got involved in projects and I was applying sort of a little bit of analytics to kind of decision making, but I found this whole world of change management as well. And so my whole fascination is with how do we get a combination of critical thinking, human behaviour, and outcomes for business that kind of optimize those three things? Much of my experience with change management is really focused around those three things. I just absolutely love talking about this topic, and Iāve recently discovered that the joy, I guess, of cyber security and information security, so Iām really pleased to be on the podcast and talk to you about it and see where the worlds of change and cyber security overlap.
M: That's great, thank you. And they absolutely do overlap. One of the things that I think is hot on everyone's mind at the moment with Covid, is the digital transformation, and how everyone's been sort of forced to fit, I suppose almost like a decade with the transformation, into a matter of months. How have you found that?
K: It's really exciting to see honestly. I think every organization Iāve talked to about their transformation of remote working in hybrid, and you know now coming to look at hybrid working, is amazed at the speed of which they deployed technology to their people. And equally the speed at which people grasped how to utilize that to continue functioning in their jobs. That is an amazing achievement. You see a meme going around which was kind of what drove your transformation strategy, your digital transformation strategy? The driver is Covid, which no one ever expected right? An external third factor that no one ever thought about. I think it's been phenomenal for our understanding of how change can be navigated at speed, when we start to go back to what we consider to be this hybrid way, and actually there is more than just Covid to think about again. How do we make change happen when there are multiple things going on? We're in a really interesting time at the moment because I think one lesson people could take away from the last two years is that we can do really really big things, at really really great speed, unlike we've ever seen before, and we don't necessarily have to think too much about the people involved, because if we throw it at them, they'll figure it out. Which is an observation, but I do think that you can only sustain that for so long. People will grow tired of that way of operating. So, it worked because everybody was entirely focused on one objective, which was to be productive again in a remote world, and make it work. Now what we're seeing is the flip side of that, is that now we need to figure out how to reintroduce the rest of our lives right, again back to kind of the way we work. And I think that takes a lot more effort. We can't take the lesson that throwing a lot of things at one group of people and expecting them to swim will always work in every scenario when people have got other stuff on. So I think it's a really interesting time to be in organizational change and transformation, particularly around technology and our relationship with it.
M: That's a really interesting point you make around you know the ability to sustain implementing change in that sort of way, because I think for a lot of people it's been that exciting that āoh my god Iāve been trying to get this project off the ground for years and all of a sudden it's like in, done, you know wonderfulā! But also Iām just wondering about the embedding of new behaviours side of change and from again my point of view as a security practitioner, Iām thinking that Iāll give you an example: when everything started with Covid and locking down, I was working in a healthcare charity at the time, and it was very much a case of: we just need to get this done. There was additional legislation from the government to allow information sharing in ways that we haven't been able to before, and it's just done: get in quickly, we'll review this afterwards, and come back to it and fix it, which is something that you just alluded to as well. And you know here we are, a couple of years down the line, we are never really realistically going to be able to go back and do that. So what are you seeing as the implications for that from your side of things?
K: The one thing I see and it happens, it happened before Covid arrived, is that we take decisions, we achieve a goal, but we take some shortcuts because of time. So we choose to take certain routes over others because we're short on time. And we say we'll go back and look at those things, and often we don't because again we're still short of time and we've got new objects. So I think what this is underlining for me to your point about sustainability is: we've implemented a bunch of practices that enabled us to work in a certain way for a period. Now we really need to look when we return to hybrid, or we define a hybrid method is: what was from the old way worked really well? What currently is working really well? And how do we bring those two things together? Not just now review it, but review it kind of on a consistent basis to say is this still working for us? And I think what we're going to end up with if we don't do something like that, which the tech world knows really well, is tech debt but for people. We can end up with people gap. Mentally, people are just going to have taken decisions shortcuts, putting processes in place that work for a specific reason and they're going to outstay, they're not going to be useful for the thing that we're going forward with. So injecting moments of pause and reflection in what we're doing, and taking active decisions to move forward, they are critical, they've always been critical, but they're even more so now. As you roll new technology out and you're against pressure to get something usable out to users or something implemented, you take shortcuts. But how do you look at what was left over and what you do with it? Technology definitely we need to kind of make sure we're doing that kind of review period, but like even in working practices you know Iām seeing there is an increasing need for us to be looking at how are we working? Is it effective? What do we do next? Continuous improvement mindset is really really key
M: Yeah that's definitely something that struck me when you were just talking, I was thinking about that. You know you sort of talk about technical debt and people debt, Iād say there's also that security debt, because quite often you end up in technology with this kind of lift and shift mentality. As people move from new sort of on-site premises to cloud services. And quite often don't appreciate the differences that that means in terms of cyber security, and also you know, people's behaviours around accessing their services. And Iād say that there's again been a lot of kind of just get it moved, we'll deal with it later, but actually once those behaviours have already started with things in that way, it's that much more difficult to go back. And even if you can go back and add security controls in, things that then potentially disrupt what the users have become, what people become used to doing, it's really hard to unpick that. So I think there's lots of challenges for people around that, in terms of their security debt as well.
K: Yeah
M: What was your kind of aha moment around that cyber security? What sort of triggered it for you?
K: Interestingly, I was moving through the next series of podcasts to listen to, and I just listened to a podcast on BBC sounds, called The Missing Cryptoqueen, but it led me on to another one because kind of hooked on this kind of information, and how data was being used. And I found something called Darknet Diaries and I just like the title, I thought it was kind of like: āoh Iāve heard about the dark net, what's this all about?ā I listened to the first episode and immediately it hooked me in, by sharing a really accessible example of how the world around us is technology controlled, and is largely open based on human behaviour. Those two things about how we interact with it, and what we give up and what we share is all potential vulnerability, and all the way in
M: Okay, no that's excellent and it's really interesting to me as well that when you talk about it you seem to be excited and interested about it, whereas some people would hear that and be terrified by it. How is it that you're able to sort of turn that into thinking about how you can engage and sort of do something about it?
K: Maybe Iām more sceptical on the technology. You know, Iāve been around technology for a long time, but the thing I always see with it and where I come from is that technology isn't the answer, it's the people that use the technology that are the answer, right? So if you're implementing something for business and it's involving technology, it's how your people use it or how your people fit in around it to provide some outcome? And so Iāve always had this awareness that, maybe we're seeing technology in the wrong way. When people push technology out as a solution, we're kind of missing the point. Like, what is it enabling a human to do? You look all around us and we're consumers, we just take the latest piece of technology, we use it. We don't think about it, we don't look at the repercussions, we don't think about what we're giving up, we just click yes to all of the things it asks us to, because we want to get to use the applications as quickly as possible. I find that interesting. Being unaware of what we're giving up, actually in some ways starts to erode our value and gives away stuff we never thought we were giving up. And Iām just fascinated by that dynamic. I think cyber security, the way we're connecting things but maybe not thinking about what that actually means, as just as a you know population of people and technology, I worry about it. But for me, education is the way to kind of avail myself of that thing. If I understand, then I can be more active in the decision. If I just accept, then I can't be, Iām just open to whatever happens with that afterwards. So for me, it's about the curiosity to learn, to be more informed. And I think if people were generally more of that nature, they would kind of be a little bit more protective.
M: I think again it's quite interesting about the Cyber Security Breaches Survey that the government do each year, it was quite depressing to see what small percentage of boards and leaders are actually getting any training or awareness you know from their organizations, and thinking about their impact potentially on the sensitive information that they might be dealing with in board meetings. The other thing that comes to mind from what you said is the Verizon do an annual data breach investigation report. It was something like 80 something percent of breaches that they looked at, were all related to a human element, in terms of either failure to use technology appropriately, misconfiguring technology, all that sort of stuff. And so the biggest thing as you say about our people is educating them. I find it fascinating how organizations will throw money at the technology solutions, but will kind of really sort of scrimp and save around spending some money on training for their people. Do you find that sort of same challenge in your sort of digital transformation programs from a change management point of view, and investing in that people change side of things?
K: Yeah definitely it's a real bug there, and I think if you are studying change practitioner and one of their number one frustration is seeing change management as a nice to have, as part of any kind of digital or any change kind of initiative right? My introduction to getting into change management was actually via project. So I was doing technology projects, I was doing integrations with mergers, all of them had some element of re-educating people about how to use something, and also telling them that it was coming so they were kind of prepared for it right? So these are the two key elements: how ready are people and what are we doing to get them to adopt. The two things we would often do in projects are: we would do some communication, you know, we would have a line in our project communication plan and we would have a training plan line in there. I can't think of a single project that at some point when it came push came to shove one of those two things, if not both, got dropped right? Because we're under pressure, times are tight, we've got to focus everything on getting the thing delivered. I could tell people that these were important, but people needed to see it. So the only way I could make people see it was to protect them to some extent in my project, and show the value they brought in actually getting people to use the system and the feedback we got from them after it was implemented. It's the slowest way of doing it right? Like I have to do it one project at a time, I have to demonstrate value, I have to try and get other people to see that value and get them to do it. Really what we need is organizations execs to really recognize the importance of the people in the usage of whatever it is you're trying to change: the policy, the process, the tool, the application. People will use them, but they'll use them in ways that make sense to them, unless you don't train them or educate them and maybe those won't make sense or maybe they weren't the way you intended, that's uncontrolled risk, right?
M: Yeah
K: And uncontrolled risk is often at the cost of the saving you expected, the benefits you expected to realize. So ultimately, they do affect the bottom line. Even if it's indirect, and I think that's what the messaging continues to reinforce is: if you want benefits out of investments and technology, focus equally on the people as you join the technology, because the benefits are only realized with the people, you know, the technology comes because that's how people use it. So I think that's a really important message, probably both for cyber security, infosec and for the change.
M: Absolutely! Just hearing you talk about that, people needing to get to grips with change around the information, the business processes, technology etc. Cyber security and information security have a role in every single part of that, and unfortunately Iāve seen so many projects where they don't think about it. It's not a standard topic to think about on their project risk register, it's not a line in that product schedule. And then, as you say, if you manage to get the line in there, and then there's pressure on time, guess what drops out? So it sounds to me like there's a lot of parallels with change management challenges and cyber security and information security challenges as practitioners actually.
K: When I was running a technology project, if I had to come up against infosec, found it quite difficult conversation. It was always like: these are the boundaries upon which you can operate, don't move outside them. It always felt like it left a level of pragmatism. So again I completely understand that we've got to be protective of the business but we've also got to make it useful. Iāve struggled with that kind ofā¦ look I understand, we've got protect, but we've also got to make it usable. Where's the optimization within that discussion? When you get into the theory and the detail, it's not the most sassy of kind of topics right, unless you're really into it. So what Darknet Diaries does, what podcast likes Cybility do, is they try to make it curious enough, you want to go and learn a little bit more. And I think we need to be doing that in project. I never go to somebody and talk to them about change management theory. I say: what's the challenge you're trying to solve? And how can change, how can a little bit of change knowledge maybe help you? That kind of thinking is: Iām not here to tell you how to do information security, or how to do change management. I am here to help you solve a business problem, which will involve some level of those two things, so let's work together on it. Definitely in change management we need to work on that. Stop selling our wares and instead kind of pick up you know, solving business problems. And from my experience to kind of the few infosec people Iāve talked to, I think there's it need to be a bit more of a balance towards kind of business outcomes, But I completely get the kind of risk factor that is being carried around infosec and cyber security.
M: It's a really interesting observation you've made there, because within the community we tend to sort of talk about āold schoolā infosec and ānew schoolā. āOld schoolā is that as you described: so security says āno, these are your boundaries and that's itā. āNew schoolā is: what's the problem you're trying to solve, and this is how we can help you do it securely. So you've got pragmatism, you've got to focus on you know enabling business, rather than: no, you just can't do that. If there are challenges then around how you can do it securely, and that's not going to work in terms of that balance of optimization as you talk about, then it's just a risk like any other business risk. So you can escalate it, do the risk management process, and if the execs want to sign off and accept that risk, fine. But at least it's informed, they've done the assessment, it's an informed decision that's being made, and you've involved the right stakeholders, the right people to talk about, and look at it from different angles. One of my frustrations is that you know some security professionals are very kind of by the book, nothing else kind of matters, and it's like, we really aren't that special. It's just another type of risk like health and safety risk etc. It's just the fact that because technology is so integrated in everything we do as you said, home and work, there's a lot of risk in terms of the areas that you can go wrong.
K: Yeah, I think that's exactly it. Risk is inherent in the work we do, every decision we take there's an alternative we could have taken right, so we're sort of trading one off for the other. It comes back to kind of awareness of what that is, and active decision making in that moment around which one is best suited for you, which is the most optimal solution to take at that point in time based on the information we have. If that changes, it's okay to change as well. In projects Iāve seen in general there's a commitment to a decision, even based on new information. It kind of is reverse right? Like, we know that what we agreed two weeks ago was the right course of action then, but we've learned something new, what's the opportunity cost to make a change in that decision? We don't evaluate, we just kind of carry on ploughing away and I think that's another area, certainly from a project perspective, we need to consider, but Iām so pleased to hear that there is this movement right, of practicality pragmatism within that space, because I do think it's such an important part of business. And technology projects, technology, security and the way we engage people in a business, is so critical to a successful adoption, that we need to be open to kind of working collaboratively on it, as opposed to kind of setting some boundaries and saying that's how it's going to be.
M: No, I agree with you. And just thinking about sort of creating that sort of environment if you like. What's your experience been of helping executives understand the impact around some of the decisions they're making, or not revisiting some of those decisions that they're making?
K: It's about awareness, it's about being active in the decisions, we always are carrying numerous risks. One of the things that strikes me more with cyber security or information security is if something goes wrong in that space, there's often a reputational damage to an organization. There's also a financial one. And the reputation one comes kind of media frenzy and things like that. When those sorts of things where people's information, personal information is sort of breached and made exposed, they look for the kind of most senior person to answer the question around it. When the security teams come to boards with the risk profile of what we're carrying as a business and we don't actively engage with understanding what that means and what risks we're carrying and how we manage that, and we just sort of leave it to somebody else to think about, we're kind of devolving the responsibility, but we're still carrying the risk. That for me is the key thing: is be active in the decisions around what risks people are taking or what you're carrying, and be comfortable with them. So Iām helping facilitate some options for them. Iām giving them the pros and cons of different options, but the decision should come down to the executive team, and they should be active in that decision, and be confident that that's the decision to take forward. And again, be equally confident to change it if the scenario changes, something else changes. So I think it's that: trust in your teams to bring you the right problems, and be active in the understanding of what that means to the business, and take appropriate decisions you know, based on what your risk profile is to address them. From every single breach that has been in the news, it's always been probably the most senior person in the organization that has to answer right.
M: Just thinking about that you've talked about your sort of data breaches and the potential impact from sort of reputational damage, financial damage, etcetera. Quite often, both things with project management and cyber security and maybe, from what you're saying, potentially change too, there's tendency, when we look at risk to think very much about you know the threats what can go wrong. We don't often think about the opportunities and how we can help things go right.
K: One of the things we're becoming more and more aware of is: there is no perfect decision right? There's never been a perfect decision, but when things are really uncertain and the things are changing rapidly, I go back to this point around you can only make the best decision you can on the information we have at that point in time. But it isn't always going to be probably the best decision, in two weeks you might have new information, another decision might have been there. You couldn't have made that decision, you don't have the information for two weeks later. So I think one of the things that I would like to see more generally in project and certainly within sort of the delivery of change is a more periodic evaluation of the decisions we've made, and do they still feel right? And do they still take us in the direction we want to go? What's the opportunity cost for making a switch now as opposed to carrying on with what we've made and making a change some other time? The whole idea of having organizational agility comes down to being able to evaluate what new information we've got, which direction we should go. If we're really talking about being kind of nimble and agile, I think we have to be really open to kind of just saying: you know what guys? The information tell us something different now, let's do something different, let's take that decision, let's reassess what that means for us, let's see what we need to reshape, what we need to reprioritize, who we need to put where. Now, Iām not saying do this every week right, like that's on the table but again, there's an optimal period at which you do it. Is it quarterly, is it annually? For some organization we go through the cycle of planning, I don't think we go through the cycle of reevaluating decisions we've just made, and the information we've got, what we should do next. And I think that's really fundamental to kind of a business that survives a very uncertain world, and really rapidly changing world.
M: Just thinking of all the sort of projects that Iāve been involved with, I think Iāve only ever once seen an actual decision log. You know somebody who wasn't involved in the project could go look at and see what decisions were made, the rationale for them being made in order to do that review that you're talking about.
K: Yeah
M: Is it perhaps more common practice in other areas? Or is this other ways of doing it than perhaps just a decision logging that Iām thinking of?
K: There is a size and complexity and kind of impact that kind of plays in here. So I would argue that any project should have a governance structure, which looks at how decisions are made right? And that might be a board of stakeholders that kind of review it. Anything that's deemed significant enough however your project chooses to measure that, whatever methodology or approach, is that when we choose a decision that that is log. We have an active open discussion, here are the options, this is this is the problem, here are the options, these are the costs, pros and cons, we log why we chose that decision. Because it's about traceability and transparency. Governance again, governance sounds like a horrible word that kind of tries to stop you from doing stuff, but it really isn't. It's about making sure that when we take decisions we're clear about why, because weeks later, you can guarantee most people have forgot half of the conversation because so much is going on. So it's that kind of evidence for evaluating what the problem was, agreement about the decisions we take, and the expectations of what we hope will come from the decision we chose. For me, it's like a change impact assessment. When Iām looking at what a business is going through, I look at what do they do today, I look what is the plan for them in the future, and I kind of figure out the delta right? And that's how we define what the training might be, or the communications will be, or who's impacted, and what they need. When we take a decision in a project to do something different, we had a view of what we were gonna do and what it would look like. There's a change impact assessment, it's just now focused on a decision in a project like when we choose different paths in the way we're gonna implement something, or do something, or resolve an issue, we have to record our thinking, then be able to look back at whether that was the right thing to do. And I think too often we're in the business of get a decision done, move on, get a decision done, move on. And I think it's worth taking the time to kind of go why that decision then.
M: Yeah that's really helpful. And just thinking again about you talk about change impact assessments, you know, these can equally be data protection impacts assessments, information security risk assessments. It's all part and parcel of the same thing in terms of what's the problem we are trying to solve, this is where we are, this is where we're going, and how we get there. And, for us, how to get there securely. So that's really good, thank you.
K: The one thing I would add is that whenever we take those sorts of decisions around actions it's about of all the different perspectives of what is a risk. It's not just like a security perspective, or you know an operations perspective, or a technology leader's perspective, or the program director right. It's about everyone having their opportunity to share who has an outcome of that. Iāll give you a very quick example where we were talking about, we're expecting to replace a current sign-on to a system with a single sign-on but the technology to do it was delayed. It meant we were kind of exposed in some ways to kind of a less effective sign-on mechanism for a period until the single sign-on was in place. And to start with the security team were like look this is not good enough, we're gonna have to rewrite this, or you're not gonna be able to roll the system out, blah blah blahā¦ And I said okay that's fine, but let's also talk about the other protocols around the security system. In order to get to the security system, you need this pass, that hasn't changed. In order to be able to log on to the system that you can gain access to is the same. That hasn't changed. So we've already got two lines of defence. I understand that this is important, but now we're trading off the balance of the existing security we've got around it which hasn't been breached in time, the kind of security you're saying for a period of time that is going to be exposed, but has still got two lines before it. So for me it's about like, can we have a conversation about where the risk really is and how much we're carrying? So I think what's really important is there is more than one view about the risk, and it's important to evaluate all of those before you make a decision. I think that for me is the conversation that comes from, and that's why the recording the outcome is important.
M: When it comes to single sign-on Iāve got really mixed views. Part of me is kind of like: delay it as long as possible, because if you've got separate usernames and passwords, then at least if it's hacked it's only going to affect that one system and not everything, you know?
K: But then on the flip side is the user has to think about more than one final and that becomes you know.. then they start doing other things which you don't want to do. which is they might write something down. So there's this again, it's a balance right? How do we make security secure from a technology and a people perspective? Really important balance and no single answer right, but it is about a conversation about where the risks are right?
M: Excellent. if we could just talk a little bit about you know your co-chair of the Change Management Institute, could you tell us a little bit about your role and what that entails? And also actually for those who may not be familiar with it, what Change Management Institute purpose is.
K: Change Management Institute is a not-for-profit professional body established really because, I hate to develop a competency framework for practitioners out there. How do you know if you're doing the role of a change manager if you're doing some stuff from others? So I think the basis of the Change Management Institute really was to kind of come up with that competency framework. The organization also developed kind of a maturity understanding. So how mature is an organization for these capabilities in individuals and as a collective? So those two core things are really about kind of understanding the state of change management within business in general, but what we really focus on having kind of established that as our kind of core offering or kind of core purpose for creation, is that practitioners are put you know practicing every day in organizations, and often I myself several years ago didn't realize there was a whole community of us out there doing within organizations. Sometimes it's one person, sometimes two. My role is really to help raise awareness that change management is a business function, and has business value, to raise awareness to practitioners that are trying to do this within organizations or independent to come together and share best practice, and to help continue to evolve the profession by developing our tools, our techniques, our processes, our methods, so that we can continue to deliver change as effectively as business need. But it is still very much about educating the wider business that change management has value.
M: One of the things that I supposed I feel quite strongly about, but Iām not really seeing it yet, is you know how on a board committee you'll typically have somebody who is really strong on finance because of this governance within the organization? I don't often see somebody on the board who is charged with cyber security, information security, sort of information assurance as a whole piece, as the kind of sort of lead on that, that the board can talk to and rely on and really championing it at that level. In your experience whether at CMI or elsewhere, is that something that you've seen at all or think would be useful?
K: I would agree with your assertion. I just don't think that it's seen currently as the risk to be reviewed at that level and I think it's becoming increasingly important and I think you know studies like the ones you mentioned earlier where there's kind of an assessment of the threat or breaches that happened and the outcomes of those. I think people in boards certainly need to be taking those more seriously. they might need to put someone in place to kind of be more aware of what's going on in the market generally. And also what's going on with internally within organizations, and report on that on a regular basis. It is becoming more important because the methods, the approaches they're all becoming more sophisticated, and we're becoming more connected, and so these are not being, they're not in our control anymore you know? Someone could do something millions of miles away and be into our system and we wouldn't know about it necessarily, unless we've gone you know this thinking up front and we're continually reviewing it. I think it's missing and I do think this should be something that you know boards need to represent. Again especially because it's senior executives that get put in the firing line for when these things happen the expectation is: it's your organization therefore your accountability to kind of be over how these things happen. So the thinking is there already, it's just about being aware to apply and taking an active choice and I think that's where like it doesn't have to be expensive, it just has to be sufficient for what you're ready to kind of protect against. People scared by the cost of maybe establishing something like this I think should maybe challenge themselves a little bit to see what they can do at whatever budget is affordable, but do something.
M: Yeah, I think it's a really good point especially for not-for-profits where you know budgets are typically either non-existent, or very low compared to you know those available in the private sector. And there's certainly a lot that can be done. And because, as you've already said, so much about people's interaction with information, with technology, that it doesn't have to be expensive, a lot cheaper than some of the technical solutions that people put in,
K: Yeah
M: So, I completely agree with you on that one. You look at this from a sort of risk point of view but you think there's opportunities to do more. In terms of the profession you don't think there's really sort of huge engagement yet around that sort of cyber security and change management piece, and one thing that Iām quite interested in is, you mentioned about how we as professionals relate to and interact with and integrate processes with other sort of back office if you like people in the profession, so you know whether it's procurement, legal, governance ,risk etc. Is that a conversation that you're having really with any of those other kind of risk professionals as a Change Management Institute?
K: Yeah I think there's two elements to it. So the first is other professional bodies. So of course we work really closely with business analysts and we work really closely with project management professionals, and so our current focus is really kind of building relationships with those organizations or those professional bodies, to kind of share what our perspective is on projects, what their perspective is, and figure out again how do we come to collaborate for better business outcomes? People are thrown together in projects, there's a project manager tasked with delivering a thing, there's a change manager tasked with changing the behaviour of people to accept the thing, there is a business analyst helping us figure out what these things are in the first place. We're a relatively junior profession compared to those other two. They've been around much longer, people understand more. So we've got a lot of work to do just to educate people about what we're here for and how we work with other teams. But we are really fundamentally about that right, because there's no point of us turning up and everyone going: who are you? what are you here for? And every organization is slightly structured differently. Sometimes their project managers will do the BA work, sometimes they're you know they'll have a portfolio management. So the landscape is completely different every organization and yet we've still got to figure out a consistent way of describing what we do in the context of how organizations operate. So there's a lot for us to get across, but that doesn't stop us wanting to work with more people, because the more people we can kind of talk to about what we do, the more people would reach out to us, I hope will find interest in the work we do and want to work with us a little bit more. Doing stuff like this for me is really interesting, because Iām like, I want to learn about what other people are up to their business, about creating value, making technology work for people, and sharing some of that kind of you know reflections from the sides of the business world we come from. And I think that's a you know a fundamental pillar for us as a professional body is create awareness and create engagement. We're still new kids on the block, people still need to know, understand what we do, we need to work hard to educate, but we also need to reinforce the credibility behind what we do as well, with you know real academic rigor.
M: What struck me about you know your last sort of paragraph what you were saying just then is: if you took that out of context and played it to somebody, they'd swear you're a cyber security professional, seriously. Because it's exactly the same: we're a relatively young profession, the body the Chartered Information From Information Security (CISEC) is now chartered, but you know that took a while to get. We've now got a new UK cyber security council So things are slowly sort of becoming more āprofessionalizedā as it were. The other thing that struck me with what you're just saying as well, is the importance of educating people about what you do and the value. One of the challenges I found working in house associates professional is: how do you make that work visible and how do you show that value when people only tend to know about things when they go wrong? And I just wondered if that was also another parallel with change management, that you know when it's going well people don't really recognize, and it's the only when it goes wrong that they do.
K: When good change management is in place, you don't realize it's there, because the outcome is what you expected it to be. It's when it's not in place that you realize something's missing, and all of a sudden we need to introduce something. And so I think that's an interesting dynamic for change practitioners, because if we're doing our job effectively, it doesn't even look like we're around. We operate in the shadows because if we're doing a good job, no one even needs to know we're there. We're just doing what needs to be done in order to make everything seem to work seamlessly. And it's when we're not there the problems exist. And maybe that's a bit poetic for how I see the change management profession, but I do think that is part of our kind of role to reduce the amount of friction that occurs within project, whether that's internally between people, between the business and the projects, like that is a primary function we operate to achieve.
M: And from a security point of view working to reduce that friction that users might feel when interacting with the systems, whether technical or not, is something. So it sounds like there's a lot of parallels with our two professions. Just to sort of wrap up, if you would like to pick a book, a movie, podcast, what would your recommendations be for our listeners?
K: Well I mean let's go easy right? Like I don't know if we've made a reference to it, but of course please go and listen to my podcast. Iāve got one called The Change Chair, where myself and a colleague of mine of talk to change practitioners about their everyday experience and what works and you know, share real life stories. So check that out, but I really recommend The Darket Diaries for anyone listening. Iāve just found all the stories in it entirely sort of captivating. Iāve just yeah just loved it. There was a book I read last year called Big Magic, by Elizabeth Gilbert. And Big Magic is a more of a poetic philosophical book about the process of generating ideas and turning them into action. Really I comeā¦ I don't know about you, but Iām somebody who comes up with ideas all the time, Iām forever writing little notes in my book, and I kind ofā¦ and there was this one bit within the book that kind of really struck me, which was that ideas are sort of sentient, they're just roaming around waiting to find somebody to kind of interact with. Sometimes it will hit you at the right time for you to do something with that idea and sometimes it will just pass straight through you and move on right. But it will hit someone else and that idea will materialize. And you might think oh god someone stole my idea. It just wasn't the right time for you to do something with it, but it was for them. So like this whole stealing of ideas is sort of almost nonsensical. I thought it was a really lovely way to think about ideas, because all of a sudden you lose that expectation that it was yours and you should have done something with it. The time wasn't right. So I really I just love that book. And then I will say a film as well just because I just like the premise of it. There's a movie called Moneyball, which is actually about a baseball team in America called Oakland Athletic. They weren't a very big team, or they hadn't won the league for many years. And they were really strapped for cash, but they used data to make better picks and draft players in, and optimize their team. And it was revolutionary, and they won the series in 2002. The story's great. The coach was thought of as a complete rogue. Like he was getting rid of players that everybody rated and bringing in players people were like why are you bringing? It's just like that counter-intuitive thinking backed up by data. It's a really phenomenal combination right, and it happens a lot in sport actually: people's ego takes over their logic. What I love about that film is that at the end they go to the Red Sox who also haven't won the league for a long time, and the Red Sox take it and in 2004 apply that logic and they go and win the series the following year. And the guy who came up with it, the manager was offered 12.5 million to then go and be like their lead analytics guy, and he turned it down and he carried on training with the Oakland Athletics.
M: That was great thank you. Is there one piece of advice that you would like to leave our executive leaders with?
K: Yeah I think we've talked about it in various different ways, but it's: you can only manage a risk you're aware of. Taking active decisions for that is part of the role of the executive right? So you know not deferring it to other people. And it doesn't have to be costly right, like just being aware doesn't have to be costly, taking active decisions doesn't have to be costly, capturing your decision making doesn't have to be costly, but it can certainly save you a lot of cost in the future, and I think it's really important that we invest in that aspect.
M: Thatās great. Thank you so much. Well it's been lovely talking to you and where can our listeners find you online?
K: I am always on LinkedIn, so you can go and find me I have an interesting moniker of Change Asian provocateur, so come and look me up. You can also find me under Ket Patel, probably a little bit more easier to find. And then if you're interested as well I mentioned with myself and my co-host Joe Brown we have a podcast called The Change Chair, we have a website you can go and check it out.
M: Right, lovely well thank you so much for your time, it's been great chatting with you today
K: You too, thank you so much for the invite, Michala.
Okay bye-bye