IT-SICHERHEIT

Quick Change Artists

18.03.2002 von Simone Kaplan
Der Rollout neuer Sicherheitsstandards bei Shell ist erfolgreich verlaufen. Die IT-Abteilung schenkte dem menschlichen Faktor dabei besondere Beachtung.

When the I.T. services division of the Royal Dutch/Shell Group wasrequired to implement a comprehensive set of new security standards inonly six months, it decided to balance the human needs with thetechnical side of the changes.

In January 2000, the Shell Information Technology International (SITI)group received the mandate to institute all-encompassing securitychanges - new passwords every 35 days and updates to hundreds ofservers and networks. As Shell's IT service provider, SITI had to makesure its 2,300 IT staffers knew the security standards inside and outby June, when an independent audit of the new standards would beperformed. Unlike many IT projects, security changes impact the dailyroutine of every employee with the scope of the effect depending onthe type of job. SITI therefore decided that this project, known asTrust Domain, called for a change agent.

Planning and Communication

The first thing Janet Jones, the SITI project manager who handledTrust Domain, did was panic. "I thought, Oh my gosh, how will we getthis done?" Jones says. Then she sat with Trust Domain's sponsors andupper management at SITI and hashed out an overview of the project todetermine what resources were needed. Jones decided to involve achange agent - keeping in mind that no one really likes change but thatdivisionwide compliance was imperative for the project to succeed.Past experience had shown that without a team leader focusingspecifically on the people side of change, resentment might bubble upfrom the ranks. Alan Fraundorf, who was acting CIO for theorganization at the time of the project and now works as a consultantin professional services, agrees. "You can have a great IT staff andextremely successful projects from an IT point of view," he says. "Butyou must deal with the organizational impact of change to have overallsuccess."

Jones knew it was essential to bring an agent on board early to ensurethat project stakeholders were identified and that the communicationbetween the project team and employees was quickly put in place. Theagent had to have strong listening skills and an innovative approachto collaboration. Trust Domain came on the heels of the Y2K project,on which Jones had worked with Christy Dillard, a change agent inShell's professional services department in SITI. The collaborationhad been a success, and Jones knew Dillard had the experience and thequalities she needed to manage Trust Domain. Once Dillard signed on,she brought over Anita Bettis, a second change agent from professionalservices. The three decided that Jones would handle the technical andproject management tasks, while Dillard and Bettis would handle allcommunication with employees and act as liaisons between the projectteam and the SITI staff. In order for the SITI employees to trust theagents and take them seriously, Dillard and Bettis knew they had to bevisible and accessible to the staff on a daily basis. So the two movedinto the SITI offices and began sitting in on all group and departmentmeetings.

"Lots of people just stick their change agent in an office and leavethem there," Dillard says. "But you have to embed yourself into theproject and the team. The change agents are the ones hearing aboutmorale and reactions to the project." Since Dillard observed people'sreactions and Jones tracked the project's progress, daily meetingsallowed them to share their different perspectives and create a largerpicture. Jones, Dillard and Bettis immediately came up with backbonedocuments for the project: a staffing piece and stakeholders'analysis.

Look into My Staff List

To have as granular an analysis as possible, Dillard and Bettisstarted by examining SITI's organizational chart and breaking it downby department, group and individual, examining the impact of thechange based on the employees' jobs. Rather than simply filing theanalysis away, the change agents used the document as a foundation fortheir communications plan - referring to it before meetings or sendingout memos. As the project proceeded and the effect of Trust Domainbecame clear, the agents added stakeholders to the list and used theirfeedback to modify the communications plan.

For Dillard and Bettis that meant meeting with a manager on a weeklybasis or meeting with an individual employee to get internal feedback.The impact of the new standards varied. For some, it meant changingtheir passwords every month and making sure they had a screen saver ontheir desktop. For others, it meant changing the procedures forwriting code and taking new precautions when dialing into SITI'snetwork from a remote location.

To maintain contact with and solicit feedback from employees, thechange team held frequent focus groups and took time in weeklydepartment meetings for project discussions, where employees were morecomfortable talking about concerns and questions. The team also lookedto "unofficial" leaders in each department - the ones who spoke up mostat meetings and employees went to for guidance. Jones and Dillard hadlearned during the Y2K project that getting the buy-in from thosedepartment leaders was essential in bringing along the entiredepartment. The change agents met with the department champions forlunch on a monthly basis to keep their fingers on the pulse of theunit.

In turn, the department leaders kept the change team informed abouthow their group was adjusting to the new standards.

Trusty the Mascot

To increase awareness of Trust Domain, Jones and the change teamcreated a website to keep staff updated and educated. The sitefeatured project news, updates pertinent to each department, and aforum for questions and concerns. To bring the project to a morepersonal level and give it some humor, the team adopted a mascot:Trusty the porcupine. For the change team, Trusty gave the securityproject an identity that set it apart from other initiatives in SITI.To keep employees thinking about Trust Domain, which was essential forthe project's success, the team saturated SITI with Trustyparaphernalia. All communications relating to the project, such aspresentations, e-mails and memos, bore the porcupine's semblance, andDillard set up an e-mail address for Trusty so that employees coulde-mail concerns or questions about the project. Some people hated themascot, she admits, but Trusty got people talking.

You Say Yes, I Say No

Inevitably, Dillard and Jones ran across pockets of resistance. Someemployees felt the new security measures were too little too late.Others had watched similar initiatives get pushed through in the pastand fail. Often, the champions identified naysayers in theirdepartment to the change team and gave the team insight into whyproblems were occurring.

Dealing with reluctant employees meant that Dillard and Bettisconstantly met with department managers and the naysayers themselves.The team sat down with resistors and listened to their concerns, andthen tried to address them by discussing the goal of the securitymandate. "If people felt the changes were ineffectual, we acknowledgedtheir opinion but let them know we had to start somewhere," Dillardsays.

As a next step, Dillard got the resistors involved in Trust Domain byencouraging them to learn about the project scope and givepresentations to other departments in SITI. This helped reluctantemployees feel as if they were part of the team, and it showed otheremployees that if this person could support the project anyone could,says Dillard.

Secure the Hatches

When July 1 came, SITI passed the mandated independent audit of thenew security measures. The audit represented the first real test tofind out whether the Trust Domain project had succeeded. SITI was oneof the only Shell business units to pass the audit. And although SITIhad completed the project, so many of the other Shell companies failedthat the Royal Dutch/Shell Group was forced to push back the deadlineto Oct. 1 for implementing Trust Domain. For Jones and Dillard, thereal success lay in watching the change come and go without fanfareand without disrupting office life.

"Planning a change is like a three-legged stool," Jones says. "Thelegs are technology, process and people. To be successful, you need tohave all three and have them appropriately balanced. By the time thechange came, everyone was prepared."