Skip to content
Blog OCM: The Acronym Your Security Program Actually Needs

OCM: The Acronym Your Security Program Actually Needs

As security leaders, we find ourselves pushing a lot of change.

New tools, updated policies, shifting threat landscapes—the list is endless and change is constant. Yet one of the most critical elements for making changes stick is one we rarely talk about: Organizational Change Management (OCM). 

OCM is the often-skipped step in any major initiative.

It’s the framework for building support for new policies and making a change sustainable. It's the "how" behind a successful rollout. While not unique to IT, it's particularly vital in cybersecurity because we're not just asking employees to use a new system; we're training them to shift their habitual behaviors. 

Consider data classification, for example. It's a simple method for understanding data sensitivity. But you can't just send out a memo and expect everyone to change how they handle information; we all know glazed-over eyes would scan the email (if we’re lucky) and no change would occur.  

Invest in OCM, Not Just SaaS 

To do it right, consider an OCM strategy and practices that would get you into different departments, understanding current workflows, and helping workforces build support for the new process. It involves creating awareness, motivation/desire, appropriate knowledge, and the right skills and abilities to be successful. This is not something purchasing and implementing a new cyber tool can do.

It requires leadership soft skills, process changes, workforce “experiences”, and job aids tailored to your specific organization. 

The beauty of a robust OCM program is that it provides the foundation for every other security initiative. Within a cyber program, building a strong HRM (Human Risk Management) program with embedded champions, ambassadors, and sponsors, you're not just developing human assets to advocate for a secure organization today—you're building the infrastructure to handle any future change that may impact the workforce. This means when a new tool, a major incident, or a new threat, like deepfake, comes along, you have the people, the methodology, and the sponsors to execute your plan with speed and confidence. 

That’s our advice for technical leaders: stop buying tech to solve every problem.

Instead, invest in OCM.

Partner with your marketing and communications or OCM teams, and if you don’t have the internal depth, find outside experts who have been in your shoes. Investing in OCM capabilities will help your tech go further and get better results by getting people to rally around your causes in a sustainable way.  
About the author
Aaron Pritz
Aaron Pritz is a veteran cybersecurity professional with experiences within IT, Six Sigma, privacy, insider threat, and risk management. He is the CEO and Co-Founder of Reveal Risk, a boutique cybersecurity, privacy, and risk consultancy and has over 20 years of experience in the field. He held various leadership roles in the pharmaceutical industry for 17 years before pivoting to a client advisory role and co-founding Reveal Risk. He applies robust knowledge, his industry networks, and creativity to solve some of the toughest challenges in the field

Related content.