Dealing with the human element
I could have used brute force and pulled the plug on our existing password and permissions setup right away, rolling out BeyondTrust to everyone in the company at once, but that approach rarely works. No one wants to walk in on a Monday morning to discover that their computing environment has suddenly changed.
My CISO was nervous about the rollout, and rightfully so. He’d tried to implement similar measures before, but had trouble getting people to adopt a new system. I explained to him that we needed to start by acknowledging a basic fact: folks aren’t always comfortable around new technology. You can’t always be the all-or-nothing sheriff, threatening to lock up everyone who doesn’t come on board. In order to drive long-term adoption, I find it more effective to take a softer, gentler approach. I like to start by working with those who are open to change and converting them into evangelists for the transformation.
First, I got everyone in our C-suite to buy into the platform. I then deployed BeyondTrust to everyone on my team, followed by early-adopter system administrators. There are always some glitches that arise during deployment, and it’s beneficial to get people on board early who are not only enthusiastic about the platform, but who are technically capable of troubleshooting any problems. Once they’d found and fixed those early issues, they started encouraging other IT teams to embrace BeyondTrust.
I was lucky to get the nod of approval from these technical teams at the start of the process. They set up a BeyondTrust PoC in a sandboxed environment, ran a series of benchmarks, and confirmed the effectiveness of the PAM solution. They helped me speed its adoption by showing everyone that it worked.
Everything went smoothly from a technical standpoint, but my main concern with these rollouts is always the human element. It’s only natural for people to resist when you mandate a particular approach to an activity or limit their access to previously available functions.
Getting everyone to adopt BeyondTrust’s credential management features was one thing. You log in, follow instructions, and update your privileged passwords regularly. That small behavioral change meets with little resistance.
Changing local access privileges was another matter. Even though probably less than 5% of employees typically need or use full local admin access privileges, many of them will balk at the idea of someone robbing them of the freedom to make changes to their machines. Some people may even feel that you’re revoking privileges as a type of punishment.
This second transition is not technological, but cultural. To successfully navigate it, you must advance slowly and socialize your workforce so that everyone understands the stakes. Start by explaining the new approach. Tell your employees why you’re adopting new security rules and elaborate on the pros and cons. Most importantly, remind your people that you trust them and are restricting their access privileges so they don’t have to worry about securing their machines