SHELL I.T. INTERNATIONAL – Quick (Security) Change Artists

When the I.T. services division of the Royal Dutch/Shell Group was required to implement a comprehensive set of new security standards in only six months, it decided to balance the human needs with the technical side of the changes.

In January 2000, the Shell Information Technology International (SITI) group received the mandate to institute all-encompassing security changes?new passwords every 35 days and updates to hundreds of servers and networks. As Shell’s IT service provider, SITI had to make sure its 2,300 IT staffers knew the security standards inside and out by June, when an independent audit of the new standards would be performed. Unlike many IT projects, security changes impact the daily routine of every employee with the scope of the effect depending on the type of job. SITI therefore decided that this project, known as Trust Domain, called for a change agent.

Planning and Communication

The first thing Janet Jones, the SITI project manager who handled Trust Domain, did was panic. “I thought, Oh my gosh, how will we get this done?” Jones says. Then she sat with Trust Domain’s sponsors and upper management at SITI and hashed out an overview of the project to determine what resources were needed. Jones decided to involve a change agent?keeping in mind that no one really likes change but that divisionwide compliance was imperative for the project to succeed. Past experience had shown that without a team leader focusing specifically on the people side of change, resentment might bubble up from the ranks. Alan Fraundorf, who was acting CIO for the organization at the time of the project and now works as a consultant in professional services, agrees. “You can have a great IT staff and extremely successful projects from an IT point of view,” he says. “But you must deal with the organizational impact of change to have overall success.”

Jones knew it was essential to bring an agent on board early to ensure that project stakeholders were identified and that the communication between the project team and employees was quickly put in place. The agent had to have strong listening skills and an innovative approach to collaboration. Trust Domain came on the heels of the Y2K project, on which Jones had worked with Christy Dillard, a change agent in Shell’s professional services department in SITI. The collaboration had been a success, and Jones knew Dillard had the experience and the qualities she needed to manage Trust Domain. Once Dillard signed on, she brought over Anita Bettis, a second change agent from professional services. The three decided that Jones would handle the technical and project management tasks, while Dillard and Bettis would handle all communication with employees and act as liaisons between the project team and the SITI staff. In order for the SITI employees to trust the agents and take them seriously, Dillard and Bettis knew they had to be visible and accessible to the staff on a daily basis. So the two moved into the SITI offices and began sitting in on all group and department meetings.

“Lots of people just stick their change agent in an office and leave them there,” Dillard says. “But you have to embed yourself into the project and the team. The change agents are the ones hearing about morale and reactions to the project.” Since Dillard observed people’s reactions and Jones tracked the project’s progress, daily meetings allowed them to share their different perspectives and create a larger picture. Jones, Dillard and Bettis immediately came up with backbone documents for the project: a staffing piece and stakeholders’ analysis.

Look into My Staff List

To have as granular an analysis as possible, Dillard and Bettis started by examining SITI’s organizational chart and breaking it down by department, group and individual, examining the impact of the change based on the employees’ jobs. Rather than simply filing the analysis away, the change agents used the document as a foundation for their communications plan?referring to it before meetings or sending out memos. As the project proceeded and the effect of Trust Domain became clear, the agents added stakeholders to the list and used their feedback to modify the communications plan.

For Dillard and Bettis that meant meeting with a manager on a weekly basis or meeting with an individual employee to get internal feedback. The impact of the new standards varied. For some, it meant changing their passwords every month and making sure they had a screen saver on their desktop. For others, it meant changing the procedures for writing code and taking new precautions when dialing into SITI’s network from a remote location.

To maintain contact with and solicit feedback from employees, the change team held frequent focus groups and took time in weekly department meetings for project discussions, where employees were more comfortable talking about concerns and questions. The team also looked to “unofficial” leaders in each department?the ones who spoke up most at meetings and employees went to for guidance. Jones and Dillard had learned during the Y2K project that getting the buy-in from those department leaders was essential in bringing along the entire department. The change agents met with the department champions for lunch on a monthly basis to keep their fingers on the pulse of the unit.

In turn, the department leaders kept the change team informed about how their group was adjusting to the new standards.

Trusty the Mascot

To increase awareness of Trust Domain, Jones and the change team created a website to keep staff updated and educated. The site featured project news, updates pertinent to each department, and a forum for questions and concerns. To bring the project to a more personal level and give it some humor, the team adopted a mascot: Trusty the porcupine. For the change team, Trusty gave the security project an identity that set it apart from other initiatives in SITI. To keep employees thinking about Trust Domain, which was essential for the project’s success, the team saturated SITI with Trusty paraphernalia. All communications relating to the project, such as presentations, e-mails and memos, bore the porcupine’s semblance, and Dillard set up an e-mail address for Trusty so that employees could e-mail concerns or questions about the project. Some people hated the mascot, she admits, but Trusty got people talking.

You Say Yes, I Say No

Inevitably, Dillard and Jones ran across pockets of resistance. Some employees felt the new security measures were too little too late. Others had watched similar initiatives get pushed through in the past and fail. Often, the champions identified naysayers in their department to the change team and gave the team insight into why problems were occurring.

Dealing with reluctant employees meant that Dillard and Bettis constantly met with department managers and the naysayers themselves. The team sat down with resistors and listened to their concerns, and then tried to address them by discussing the goal of the security mandate. “If people felt the changes were ineffectual, we acknowledged their opinion but let them know we had to start somewhere,” Dillard says.

As a next step, Dillard got the resistors involved in Trust Domain by encouraging them to learn about the project scope and give presentations to other departments in SITI. This helped reluctant employees feel as if they were part of the team, and it showed other employees that if this person could support the project anyone could, says Dillard.

Secure the Hatches

When July 1 came, SITI passed the mandated independent audit of the new security measures. The audit represented the first real test to find out whether the Trust Domain project had succeeded. SITI was one of the only Shell business units to pass the audit. And although SITI had completed the project, so many of the other Shell companies failed that the Royal Dutch/Shell Group was forced to push back the deadline to Oct. 1 for implementing Trust Domain. For Jones and Dillard, the real success lay in watching the change come and go without fanfare and without disrupting office life.

“Planning a change is like a three-legged stool,” Jones says. “The legs are technology, process and people. To be successful, you need to have all three and have them appropriately balanced. By the time the change came, everyone was prepared.”