At this year’s Infosecurity Europe, 2023 I was part of a panel discussion with Dave Cartwright, CISO of Santander International and Anil Varghese, CISO of Francisco Partners, moderated by Zeki Turedi, CTO of Crowdstrike.
Our topic was digital transformation, and our experiences of what makes a digital transformation programme succeed or fail.
Digital transformation programmes are started for a very wide range of business reasons. In the pandemic, organisations needed to change fast to enable home working. They may want to replace inefficient, often manual, processes with more efficient computerised ones. Digital solutions may used to improve the effectiveness of processes, for example by using machine learning to improve fraud detection.
Whatever the reason for the programme, the result is, new ways of working, cultural challenges and changes to risks associated with the processing activity. It’s easy to see a digital transformation programme as a software or hardware implementation project and to downplay the importance of the interaction between digital and human. Here are three ways organisations can put people at the heart of digital transformation, and how they contribute to making the project succeed.
Bring your people on the journey with you
I have spoken to two people this month alone who have faced difficulties with their digital transformation programme because they didn’t engage people well enough.
In the first case, the organisation found a new software system that had all the functionality they needed and looked like it would bring big business benefits. They bought and set up the system, then went to train the person who would be the main user – who refused to be trained because they were about to retire and weren’t interested in learning a new system.
In the second case, lots of work had gone into defining new roles and setting out expectations – but the people who will be expected to do the work can’t relate those expectations to their daily roles due to a lack of understanding of what is required and why, therefore the project is stalling because people can’t work out what to actually do.
In both cases, the issues could have been addressed by speaking with the system users and truly understanding their perspective. The first organisation could have decided to use the new system as part of their succession planning for the main user and trained someone new to use it. The second organisation could have reviewed job descriptions and communicated the new expectations to the individual.
Plan for failure the way you plan for incidents
Many organisations have a ‘fail fast’ approach that allows them to launch small incremental changes rather than taking a ‘big bang’ approach that launches all the changes at the same time after significant investment. This contains the potential impact of each failure, so if something goes wrong, it affects only part of the process that has incrementally changed and not the whole processing activity. So, for example, a new range might be rolled out for one specific process, or only for one type of customer.
When taking this approach, it’s tempting to just plan to roll back the change if it doesn’t work. However, that can lead organisations to miss some kinds of failure. For example, operational teams might struggle to accept a new control measure and yet the change might still look like a success because the overall processing objective is met. For example, one organisation I spoke with recently described difficulties getting operational teams to accept two-factor authentication (2FA) because it required them to switch from their laptop to their phone and back and interrupted the flow of the process. This then led the team members to avoid the tasks that required 2FA. That’s a failure, but not necessarily an obvious one.
A better approach is to think through what failure might look like before each deployment, in the same way that organisations think about what incidents might occur. Data protection impact assessments and other risk assessments can help with this as using a structured approach will assist in identifying potential issues before they occur. You can then plan for the failure in the same way that you would plan for an incident. What training and information might people need in advance of the release to ensure failures are avoided, or identified and reported? What operational risks could occur? What communications needs will different people need if the deployment fails? Who should be involved in root cause analysis and debrief sessions?
Involve the right people in planning communications
During the panel discussion, Dave Cartwright noted that IT teams aren’t always the best at communicating outside of the IT team. That should be no surprise – it’s not their job, and often the documentation they are trained to produce is very detailed and technical and not right for-non-specialist audiences.
Fortunately, many organisations will have experts they can turn to. Internal communications and marketing teams are very skilled at turning technical detail into clear and simple messages that focus on what people need to know. These people can work with IT to run focus groups, plan communications and keep people informed when things don’t go to plan.
This last is particularly important and very often overlooked. If people see releases repeatedly ‘failing fast’, and they don’t get good communications, they may become cynical about the project, which can ultimately lead to its failure. Good communications can help people understand that ‘failing fast’ is a testing and listening approach that is intentional and will ultimately result in digital transformation that succeeds.
People make projects succeed
Almost all digital transformation projects require people to transform too. Organisations that put the same effort into understanding the human transformation required to make the change happen will be the ones that have the most successful outcomes.