Question
Case Study The Challenge of Change at GCC 2 Following Altaf's resignation in May 2007, Arsalan was perplexed and contemplated what course of action to
Case Study The Challenge of Change at GCC 2 Following Altaf's resignation in May 2007, Arsalan was perplexed and contemplated what course of action to take. The external audit was coming up in three months and Arsalan had to get everything back on track in a hurry to be ready for the external audit. Even though Altaf had stepped down as Chairman of the ISMF, he was still offering his support to the certifi- cation project as he knew that his standing in the office was influential and that people looked up to him. With the passage of time, his opinion had changed and he became a staunch supporter of the certification effort. According to Arsalan: A New Chairman of the ISMF After Altaf resigned, there was another meeting of the top management to decide who would be the new Chairman. There were several contenders including Faisal and Arsalan. Faisal thought that Arsalan should not be the Chairman since the project would then become solely his 'baby'. Another contender was Kashif Jadoon. Kashif had recently joined the company, about halfway through the ISMS certification process. He had ten years of experience in IT, Sales and Process Management. Currently, he was working on quality optimization. Kashif got more votes than Arsalan and was named the new Chairman of the ISMF. The general consensus was that since he was more of an outsider to the company, he would be more unbiased when it came to dealing with employee issues and would be more focused on the business side of the company. Altaf himself said, 'All of us had been working in the company for almost eight years, thus small issues would escalate into big ones very quickly as we all knew each other very well. That's why we all thought that Kashif would be the best option.' Kashif himself did not have any knowledge of ISO 27001. According to Kashif: When I became the Chairman of the ISMF, I didn't even know what ISMF and ISMS were. What were the roles and the responsibilities of the ISMF? Basically, I didn't know anything about ISO 27001 standard. So when they appointed me, the first challenge was to get to know what I needed to do. 3 Ayesha and Taimur had already taken the bulk of the work and had briefed him about the progress of the project. His role was more related to execution. His main responsibility was to coordinate the ISMF meetings as per standard requirements. Initially, the meetings were held weekly. As the audit date approached, official ISMF meetings were held daily, and unofficial ones were called twice or thrice a day. Arsalan was very surprised and confused about the internal audit result. The audit made them realize what they were lacking. After the non-compliance report, Arsalan said: I was very happy as I now had something to scare people with and I think it worked. One good thing we did was that we pointed out which departments had the most inconsistencies. The team man- agers started realizing that certain things under them needed to be fixed. They recognized that they needed to roll up their sleeves and start working on it as when the audit is conducted, the non com- pliances would not be Arsalan's, in fact it will be theirs. We were also fortunate that the external audit was delayed till August due to logistical issues. According to Kashif, the first audit failed because there was no action, although the documentation was complete: 'No company can pass an audit on documentation alone.' After the first internal audit, they realized that the way they had tried to implement the standard had not worked and that they had to make certain changes. Initially, the roles of the people in the management cycle were not clear and they needed to be informed about their responsibilities in the whole process. The ISO team had to communicate what was expected of everyone. For most of the employees, the ISO 27001 was still a relatively new concept and people did not know what to do. Kashif said: The challenge was how to translate the paperwork into action. Also, the culture of the company is that nothing can be enforced on them. All of a sudden, you cannot ask them to start coming at 8 am, you can't do it. These things take time. So it was a real test to think about how to tell these people that they have to start going through this certification and that certain things were expected of them. 4 The toughest task for the ISMF was to change the people's mindsets, especially about security-related issues. Mistrust had to be avoided as much as possible. Stated Kashif: There were two turning points. The first one was when I said that we would not go ahead with the certification until we were all convinced of it. So let's sit down, try to convince each other until we have a consensus one way or the other. It was clear in everybody's mind that if we do not buy the idea, we would just walk away. There were frank discussions amongst the leadership team and the Line Managers to decide whether to go ahead with the certification in the first place. The ISMF proceeded in a different direction and asked the Line Managers to convince the forum why the company should not go ahead with the certification. Most of the peo- ple still believed that the company was interested in acquiring the certification just for the sake of boosting the company's profile and not to follow the procedures in the long run. In that meeting, the ISMF was successful in convincing the managers otherwise. Kashif stated: After the meeting, we came up with a business plan on how to implement the policies as now people were ready to go ahead with the certification. We started off with the same training, just now the mindset of the people was different and they were more receptive. They wanted to absorb it as they were now convinced. The ISMF realized that it needed to change its strategy and thus started with a different approach. The new approach involved talking to Line Managers as to what needed to be done and then the Line Managers and first-level managers were trained. The ISMF would just be there to facilitate the training. The strategy was reversed and the managers started to talk about the business value of ISO 27001. They discovered why GCC should go for the certification and what was in it for each team. Kashif explained as follows: The second turning point was when they started the reverse strategy. We went back to the people and told them the value of ISO. There were a lot of questionssome good, some stupid but we had to answer all of them. Most people not only wanted to know what business value the certification had, but also how I, the employee, would benefit from it. Team members asked that 5 they didn't see any value being added to their own respective department. We told them that the departments them- selves were a part of the organization. We actually had to go and convince them with statistical data. We made comparisons with Tata and Satyam, companies of India. Even US NCR has outsourced all of its work to India, and Pakistan has nothing. In outsourcing, the biggest concern is security. We asked the team to convince us why we should outsource our work to you when we could do it our- selves. We needed to prove to them that we have to do it. It's the same as doing a Masters but not having a degree to prove it. Implementation To motivate the employees, the company would have little competitions and the winning team would get some Teradata giveaways. Also, every month they had an all-hands meeting that would be headed by Faisal. It was mandatory for all the available employees to attend the meetings. In that meeting, the names of the individ- uals and their respective teams would be announced. The names of the teams that were doing well in ISO were also announced, which led to competition between the teams. According to Altaf, 'That started giving the people the feeling that it was recognized. And because of that people started paying attention to all the small little details. Even though we had little time, it was kind of effective.' They also improved their incident reporting process. Altaf said the following: We decided to target the management first as normally it was the management that violated the poli- cies. In one month we had almost twenty violations by the management, and five or six by the rest of the organization, which, if you look at, is really a bad thing. But we wanted to give the message that for us, the designation of the person violating the policy does not mean anything. There were even three violations by Faisal. We had become very rigid and the ISO process would not be influenced by anything. All pirated software and songs were to be deleted from the office laptops. It was very hard for the audit team to determine which were legally licensed to the individual and which were pirated. Thus, they had decided that employees could not have anything on the office computers. This caused a lot of people to be upset. The company had to abide by the laws of software piracy. All the servers in the company were to have original software. 6 The managers were accountable for the performance of their teams. They were part of the process in which they discussed and approved the policies and then trained their teams. If the team had any objections, it was the responsibility of the manager to raise that with the ISO team. Another meeting of the Leadership Team was held to decide whether to delay the audit further. The meeting was to be held even though the external auditor had already booked his flight tickets to come to Islamabad for the audit. Also, before the external auditor's personal visit, all the documentation that was made had to be sent to him. All the preliminary steps were implemented and only the visit itself was left. Arsalan still thought that there was not enough time and that the certification should be further delayed. During the audit, he would have to leave which was a further cause for concern. He wanted more time so that they could prepare in a more organized way. Nonetheless, Kashif was of the opinion that if they did not go ahead with the certification now, they would never do it. He kept repeating that they should strike now as the iron was hot. Kashif was then asked if he could take the accountability of the whole project. He was ready to do so. One month before the external audit, the implementation had not even started. The trainings started again and now they proceeded faster than before as people were more willing to learn. The whole mindset had changed. Kashif said: The certification was only possible because everybody was involved. They were all very positive about it and I had not seen any casual attitude displayed during that time period. The hype was cre- ated that something was coming and we needed to do it. Everyone was committed to it starting from the top management. In my experience spanning four different companies, I have learned that if the concerned manager is not convinced then there is no point in doing it and on the other hand, if the manager was convinced, then it would take a lot less time convincing other people. 7 The ISO team finally realized that people were following through with the procedures when they started get- ting back a lot of queries. That was a major indicator that people were reading them and wondering about them. Replies were then posted on the forum. Second Internal Audit The ISO Team conducted the second internal audit in mid-July, 2007. They had been trained by the external consultants. The second internal audit was necessary because they knew that they had a lot of non-compli- ances and that the external auditor would inquire about them. They wanted to show him that they had taken some corrective measures. Arsalan said: Another reason that we conducted the second internal audit was that we wanted to scare people. It's like the same thing that you do not study if you don't have exams. What we had discovered was that most of the non-compliances regarding the departments and their implementation had been closed and the non-compliances on our team were the only thing left. For that we had a plan. The ones that were left were the ones that had to be defined for the specific department. Finally, after all the discussions and hard work, the external auditor was coming to conduct the audit. Having tried to do their best in a relatively short period of time, the ISMF could only just wait and see how their tremendous efforts would be rewarded. Discussion Questions 1. Compare and contrast Kashif's implementation strategy with that of Arsalan. Which strategy was more effective and why? 2. Do you think that GCC Pakistan will succeed in gaining the certification at the external audit? 3. What lessons could you draw about managing change from the experience of implementing the information security management system at GCC Pakistan?
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started