Changing the Monolith, Part 2: Whose Support Do You Need?

Transformation can be a daunting task. In this series, I explore how change is possible when addressing the components of people, process, and technology that make up the organization. Let’s start with People, Part 2: Whose Support Do You Need? Read Part 1, on Building Alliances, here.

Joseph Davis
Jun 4, 2019 · 5 min read
Build the right team. (Source: Getty Images)

In Part 1, I explore how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? Here, I address considerations for the cybersecurity team itself, the organization’s business leaders, and the employees whose buy-in is critical.

Build the Right Cybersecurity Team

Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.

If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.

Keep Business Leaders in the Conversation

Keep business leaders accountable about security. (Source: Getty Images)

These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks. Here are three ways to guide these conversations:

  1. Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate Cyber Incident Response plans to account for major outages, severe weather, civil unrest, and epidemics — which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
  2. Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
  3. Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it is effective against attacks that could be considered “acts of war”, which might otherwise not covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?

Gain Buy-In through a Frictionless User Experience

Digital transformation introduces a sea of change in how cybersecurity is implemented. It is paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.

Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls.

Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.

Incremental Change vs. Tearing Off the Band-Aid

Tear off the band-aid? (Source: Getty Images)

Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!

Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?

Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.

A fewer organizations take this alternative approach of “tearing off the band-aid”. If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.


Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

Joseph Davis

Written by

Joseph Davis — Microsoft Chief Security Advisor for Health & Life Sciences

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

More From Medium

More from Microsoft Cybersecurity

More on Cybersecurity from Microsoft Cybersecurity

More on Cybersecurity from Microsoft Cybersecurity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade