Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCybersecurity News

What we learned from transforming a security program

By Heather Ceylan, Ariel Chavan
security-lessons-fp1170x658v6.jpg

Image via Freepik

November 4, 2022

Every company has a moment of transformation, when they go from a caterpillar to a butterfly. Lightning strikes — whether that’s a new product, a shift in market demand, or a change in overall strategy — and a metamorphosis occurs.


 For us, that moment was the collective shift to remote work brought on by the COVID-19 pandemic, which brought us a slew of new customers from around the world. Millions of people were now using Zoom, all with their own unique needs and requirements — and that posed a different set of security challenges.


Our security framework now had to scale alongside the business, and we had to transform our practices in a thoughtful, yet future-proofed way. To align with our growing organization and enable effective security for customers, we needed to embrace a framework to guide us through the transformation, and we learned a few things in the process. 


Here are four of those lessons:


1. Flexibility is key 

A transformation framework can drive predictability, measurability, and focus, creating stability during times of growth and change. However, it also needs to be flexible in nature — what works for a program early on may not be as relevant as an organization matures. Change is constant, and an effective transformation not only factors that in but is also tailor-made for it. 


Think of your transformation framework as a structure formed with building blocks — you can move around the blocks as needed, but they’ll always be present in one way or another. These building blocks should include cross-functional communication, ways to drive prioritization and focus, such as objectives and key results (OKRs), and measurement tactics.


2. Let prioritization guide the way 

When your organization experiences rapid scale, it’s easy to bite off more than you can chew, creating a lack of focus. While this is only natural, it’s essential that you establish a risk-based framework for prioritization, so you don’t hinder meaningful progress.


A transformation framework requires you to select both a security and measurement framework to help inform and guide program progress and effectiveness. You can use these guidelines to conduct an assessment and obtain a baseline understanding of the current state of the program. 


From there, translate this baseline assessment and further layer in risk assessments, business objectives, and compliance requirements to get a holistic view to help define focused priorities that align the security program to a shared mission and make it executable. Define your “North Star.” What are you headed toward? What are your OKRs? What does success look like? These are the questions to start asking yourself as you work to establish concrete next steps. Focusing on clear priorities helps maximize resources and therefore impact.


3. Create cross-functional communication 

We all get by with a little help from our friends, and a security team is no exception. Security initiatives aren’t possible without the support of information technology, compliance, legal, engineering, and operations teams. But you need to establish effective, cross-functional communication to truly get the help you need. 


While monthly business reviews (MBRs) are essential, we found that broader, more strategic alignment through quarterly business reviews (QBRs) with a wider, cross-functional group garners the necessary level of involvement. Since they require active engagement across an aggregate of teams, QBRs are your transformation framework’s best friend. Gather key leaders from each function together to drive clarity, awareness, and alignment around the priorities and dependencies impacting the security program objectives.


It’s vital to complement these sessions with regular communication, so get as transparent as possible when discussing the security program’s progress with the right stakeholders. Speak with governing bodies, such as the board of directors, to set expectations and enable broader awareness of the program’s current state and initiatives. This helps garner buy-in and sets expectations for your program’s current direction while ensuring stakeholders don’t feel caught off guard.


4. Measure, then reassess

Once priorities and metrics are established, measuring your progress is important. And then measure again, and again.


Many security teams choose to measure progress on a monthly or quarterly basis, depending on the maturity and needs of their programs. Regardless of cadence, security organizations should aim to answer the following questions when measuring program progress:

  • Are the objectives still in alignment with business priorities and risks?
  • Do the objectives need to be changed based on new business priorities or risks?
  • What is the measurable progress against each key result supporting the metric?
  • Are changes required to set more realistic or achievable objectives?


Continuous measurement provides a realistic picture of progress, indicating what’s working and what’s not — and why — within your program. But measurement is irrelevant if it’s not acted upon.


As your business and its risk profile continue to change, measurement followed by replanning helps you keep pace. Embrace the change by allowing your program to reevaluate its risk-driven priorities, and redefine what matters most at that period of time. Flexible goals foster realistic outcomes.


Change creates opportunities for growth

There is no one-size-fits-all approach to guiding a security program through a major transformation. What works for one company may not work for another — start by embracing a framework that you think fits your organization’s needs and be open to adjusting as you go. Remain open-minded and flexible, as your security program is only going to continue to evolve over time.


Change can be treated as either a challenge or an opportunity — react accordingly when the time for transformation comes. By complementing transformation with a framework, your security program can scale to meet the changing needs of the business. Uncertainty can become agility, future-proofing your business and preparing it for future challenges. 


This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: compliance cyber security risk assessment security operations

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Heather Ceylan is Head of Security Standards, Compliance, and Customer Assurance at Zoom.

Ariel Chavan is Head of Security Product and Program Management at Zoom.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • lessons-ideas-freepik1170x658.jpg

    3 security lessons we haven’t learned from the Kaseya breach

    See More
  • pam brown enews v2 (1).png

    Lessons learned from a career in healthcare security

    See More
  • SEC0719-Privacy-Feat-slide1_900px

    What Lessons Can We Takeaway from Las Vegas’ Recent Thwarted Cyberattack?

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing