Overview
Identity projects are unique because they change how people start their day. When you deploy MFA, you are interrupting a user's morning coffee routine. When you introduce Access Requests, you are adding bureaucracy to a manager's life. If you ignore the human element, users will revolt, find workarounds (shadow IT), or inundate the executive team with complaints until the project is killed. OCM is the art of preparing, equipping, and supporting individuals through this change. It is not just "sending an email"—it is marketing, psychology, and customer support wrapped into one.
Methodology & Frameworks
The ADKAR Model
Prosci’s ADKAR model is the gold standard for OCM.
- Awareness: "Why are we doing this?" (e.g., "To prevent hackers from stealing our payroll.")
- Desire: "What's in it for me?" (e.g., "You won't have to remember 20 passwords anymore.")
- Knowledge: "How do I do it?" (e.g., Training guides, videos, drop-in clinics.)
- Ability: "Can I actually do it?" (e.g., Successful login during the pilot.)
- Reinforcement: "Make it stick." (e.g., Decommissioning the old way so they can't go back.)
The "WIIFM" (What's In It For Me)
You must tailor the message to the persona.
- End Users: "Less passwords, easier login."
- Managers: "Faster onboarding for your team, less paperwork."
- Executives: "We won't be on the front page of the news for a breach."
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Mandate vs. Opt-in | Forced adoption vs. Voluntary | Forced with Grace Period. | Voluntary security never reaches 100%. Set a deadline: "On Nov 1st, MFA is mandatory." |
| Training Format | Live webinar vs. Video vs. PDF | Short Videos (under 2 min). | No one reads the PDF. No one attends the webinar. Make a GIF showing how to approve a request. |
| Support Channel | Helpdesk vs. "Genius Bar" | Dedicated Slack/Teams Channel. | For the first week, bypass the Helpdesk. Have the project team answer questions live. |
| Branding | "IT Security Project" vs. Internal Brand | Internal Brand (e.g., "AccessNow"). | Give the project a cool name and logo. It makes it feel like a product, not a penalty. |
Implementation Approach
Phase 1: Communication Campaign (T-Minus 4 Weeks)
Activity: Teaser campaign. Message: "Something better is coming." Channel: Intranet, Posters in the breakroom, Town Hall mention by the CEO.
Phase 2: Direct Training (T-Minus 1 Week)
Activity: Actionable instructions. Message: "Here is exactly what you need to do on Monday." Asset: One-page "Cheat Sheet" (PDF) and a 30-second demo video.
Phase 3: The "Hypercare" Period (Go Live)
Activity: High-touch support. Tactic: "Floor walking" (or virtual drop-in sessions). Consultants walk around looking for confused faces. Goal: Fix issues instantly before frustration builds.
Phase 4: The Stick (Post-Go Live)
Activity: Enforcing compliance. Action: "You have not registered for MFA. Your account will be locked in 3 days." Tone: Firm but helpful.
Deliverables
- Communications Matrix: Timeline of emails, audiences, and key messages.
- User Guides: "How to Reset Password," "How to Request Access."
- FAQ Document: Answers to "Why do I have to do this?" and "Can I use my personal phone?"
- Executive Talking Points: Scripts for leaders to support the project in meetings.
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Executive Exemption | High | High | VP asks to be excluded from MFA. | "Whaling" is the biggest risk. Security must stand firm: "Attackers target VPs first." |
| Device Friction | Med | High | Users refuse to put an app on personal phones. | Offer hardware tokens (YubiKeys) as an alternative. Don't fight the "my phone, my data" war. |
| Helpdesk Overload | High | Med | Helpdesk doesn't know how to support the tool. | Train the Helpdesk before the users. They are your first line of defense. |
| Notification Fatigue | Med | Low | Users ignore approvals because they get too many emails. | Consolidate notifications (daily digest) or use Slack/Teams integration. |
KPIs / Outcomes
- Registration Rate: % of users enrolled in MFA/SSO before the deadline.
- Support Ticket Volume: Number of "How do I...?" tickets vs. "It's broken" tickets.
- User Sentiment: Survey score (CSAT) post-deployment.
- Compliance Rate: % of users fully migrated to the new process.
Consultant's Notebook (Soft Skills)
Empathy Engineering
Technical consultants often sneer at users who "can't figure out MFA."
- Stop it.
- Users are busy. They are experts in Finance/HR/Sales, not IT.
- If they fail, your design failed.
- Approach every complaint with: "I'm sorry it's frustrating. Let me help you, and then I'll fix the process so it doesn't happen to others."
The "Champion" Network
Identify one friendly person in every major department.
- Train them early (Super Users).
- Buy them lunch.
- When Go-Live happens, they will help their peers. A peer saying "It's easy, just click here" is 10x more effective than an IT email.
Gamification
- "First department to reach 100% enrollment gets a pizza party."
- It sounds silly, but it works. It turns a compliance chore into a team competition.