Resistance to cultural change plays spoilsport to strengthen enterprise IT security (Part – 1)

Recently, while interviewing some of the global CIOs and CISOs in an event regarding the reason of extensive privileged account compromise, we came across a very interesting point of view, which was highlighted by a few of the respondents. Work culture and employee mindset can be a big barrier in establishing a robust IT security framework in enterprises. Let us see how it can play spoilsport while strengthening enterprise IT security.

While the competency of Privileged Access Management (PAM) is widely acknowledged by the management, it often gets stuck due to dislike from IT administrative staff. More than dislike, people presume that it might increase their workload extensively. As a result, successful implementation of PAM project faces hurdles and adoption of new technology gets stuck. While the top management (CIO, CISO) prefers it from security & compliance perspective, resistance from IT administrative staff hinders the change of security policies and procedures.

Changes are inevitable in every sphere of life. However, humans, by nature, are never comfortable to any changes in their life/ work, thinking of the apparent hidden challenges. People react to changes in different ways – some may respond with fearful acceptance while others respond with complete denial. This can definitely be controlled if we can get to know the reasons behind this resistance. Be it individual change or organizational change, there are a number of reasons why people resist changes.

  • Employment security: It is a very common concern which most of the employees have in any organization. Any implementation of new technology forces the employees to presume that their job might be at stake.

  • Lack of communication: Many times, changes happening in organizations are not communicated properly, which creates lots of confusion among the employees. Deployment of PAM thus inherently creates a notion that the change won’t be suitable.

  • Extent of change: Employees remain unsure about the extent of technological changes that are going to occur in the system once a PAM is implemented. Thus, they can not be apprehensive.

  • Fear of losing control: Employees get scared of losing the grip of work skills if the changes are technologically advanced and require less human interference.

  • Influence of group decision: This happens in most of the organizations. Along with the management, even if some of the lower admin staff is apprehensive about any change, he/she changes his/ her mind if the peers or rest of team stick to the resistance.

  • Competence concern: If anyone is highly compatible to any particular workflow, then he/ she can resist changes because of performance worry. They remain indecisive because they fail to acquire knowledge of how PAM can ensure better security and not affect anybody’s performance.

  • More work pressure: Employees presume that introducing PAM would increase their work-load.

All the above points, as we observe, are mostly human presumptions which dominate the hindrance of technological progress. Today, cyber threats are getting sophisticated in nature and it requires a highly advanced solution to secure information assets from malicious actors. While organizations have no other option but to strengthen their IT security infrastructure with a robust and advanced risk-control solution, resistance to changes stops it from any kind of development.

(In the next part of this blog we will share how to overcome this situation… keep posted)


ARCON is a leading enterprise risk control solutions provider, specializing in risk-predictive technologies. ARCON | User Behaviour Analytics enables to monitor end-user activities in real time. ARCON | Privileged Access Management reinforces access control and mitigates data breach threats. ARCON | Secure Compliance Management is a vulnerability assessment tool.