Changing the Monolith, Part 3: What’s Your Process?

Transformation is a daunting task. In this series, I explore how change is possible when addressing the components of people (see Part 1 and Part 2), process, and technology that make up the organization. Let’s now discuss, Part 3: Process.

Joseph Davis
Jun 13, 2019 · 4 min read
Technology without a process is a mess. (Source: Microsoft)

In my 25-year journey, I have lead security and privacy programs for corporations, and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.

Here are a few tips to create teams unified around a common mission:

1. Define the Mission and implement it like any other business plan.

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as, “We want 100% security.” Explain what is realistic and offer your approach as a business plan.

2. Define Success. Be able to articulate what it is and how it can be measured.

However success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.

3. Leverage a methodology and make it part of the game plan.

A popular methodology right now is Zero Trust’. This has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?

Trust the process. (Source: Giphy)

4. Market the Plan

In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, you have to start by building a plan and define your message. Repeat the message often enough so it is recognized and people are energized to help drive the mission forward.

Land the security awareness message. (Source: Microsoft)

5. Teamwork in the form of Governance

Take for example a Mobile Device Policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.

Cybersecurity, Privacy, Compliance, and Risk Management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.


Stay tuned for the next installment of my series on Changing the Monolith: People, Process, and Technology. Check out Part 1 and Part 2 on People.

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

Joseph Davis

Written by

Joseph Davis — Microsoft Chief Security Advisor for Health & Life Sciences

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade