Change management and cybersecurity: The importance of people in building a secure organisation

Cybersecurity is no longer the sole concern of IT departments. In today’s digital workplace, where change is constant and cyber threats are growing more frequent and complex, building a secure organisation is a shared responsibility, especially during transformation and project delivery.

Cyber resilience depends not only on technology, but on people. This means that project managers, change leaders, and cybersecurity professionals must work together to embed secure practices, manage risk, and align teams around a common goal: keeping the organisation safe.

Why cyber risk is everyone’s business

Cyber threats have evolved well beyond technical hacks. Today’s attacks increasingly rely on human error, social engineering, and gaps in behaviour or process. From phishing emails to insider threats, it’s often people, not systems, that provide the weakest link in security.

This is especially true during periods of change. New systems, workflows, or ways of working can introduce vulnerabilities. Without proper guidance, employees may revert to insecure habits, ignore best practice, or find workarounds that undermine controls.

That’s why integrating cybersecurity into change management isn’t optional — it’s essential. Change professionals help guide people through transitions, and their role in embedding secure behaviours is key to reducing risk.

Embedding security into project delivery

For project and programme managers, it’s important to recognise that security should not be a bolt-on at the end of delivery. Instead, it needs to be built into the project lifecycle from the start, just the same as user needs, performance metrics, or legal compliance.

This involves close collaboration between project teams and cybersecurity leads. Together, they can assess risk, define security requirements, and ensure those considerations are built into scope, schedules, and stakeholder plans.

Change managers also play a critical role here. By mapping how people will be impacted by new technologies or processes, they can flag potential vulnerabilities and align communications, training, and reinforcement activities accordingly.

For example, if a new collaboration platform is being introduced, the change lead can work with the cybersecurity team to ensure users understand safe sharing protocols, avoid reusing passwords, and recognise phishing risks, all before go-live.

Common pitfalls and how to avoid them

When cybersecurity is siloed from project or change work, the results can be costly. Common issues include:

• Security controls added too late, causing rework or user resistance
• Poor uptake of secure behaviours due to lack of training or engagement
• Mismatched expectations between IT, users, and leadership

To avoid these issues, early integration is key. Security considerations should be part of project initiation, risk assessments, stakeholder analysis, and communications planning. This means building cybersecurity into documentation such as the business case, project plan, and risk register, as well as identifying associated quality criteria from day one.

Change teams can support by carrying out impact assessments with a cybersecurity lens, designing onboarding materials that reinforce secure habits, and running awareness campaigns aligned to key project milestones.

Consider establishing cross-functional working groups or steering committees that include both change and security representation. This helps ensure alignment and shared ownership of cyber risk management throughout the project lifecycle.

Supporting teams through secure transitions

Projects that introduce new digital tools or remote/hybrid working arrangements often bring a shift in how data is handled and accessed. These transitions can be unsettling for teams, especially if secure practices add friction to their workflow.

That’s where change management plays a human-centred role. By listening to user concerns, simplifying complex protocols, and framing cybersecurity as an enabler (not just a restriction), change leads can help ease adoption and reduce pushback.

Training should go beyond compliance. Effective programmes show the why behind security policies, using real-life scenarios or simulations to make the risks relatable and the behaviours memorable. Microlearning modules, just-in-time reminders, or gamified phishing tests can be used to reinforce secure habits over time, helping employees absorb information in ways that stick.

Cybersecurity collaboration at different project stages

Throughout the delivery journey, cybersecurity and change professionals should work together to embed security in ways that are practical, relevant, and proportionate.

• Project initiation: Include cybersecurity in stakeholder mapping and risk assessments. Work together to define secure success criteria and key behavioural outcomes
• During delivery: Align change activities with secure rollouts. Ensure training, communications, and user support all address potential vulnerabilities and reinforce secure usage
• Post-implementation: Use feedback loops to assess adoption of secure practices. Identify behavioural gaps or resistance points and refine training or messaging as needed. Ensure knowledge is captured in post-project reviews for future initiatives

A more secure future starts with your people

Technology will always be part of the solution, but people are at the heart of both the risk and the response. In a world of rising cyber threats, project managers and change leads have a responsibility to partner with cybersecurity teams to protect not just systems, but behaviours, cultures and ways of working.

By embedding cybersecurity into change planning and delivery, and treating security as a shared priority, organisations can ensure that their projects don’t just go live, they go live securely.

Want to lead secure, people-driven change in your projects? Explore our Change Management™ and cybersecurity courses to build your capability in delivering risk-aware, resilient transformation.