Every company has a moment of transformation, when they go from a caterpillar to a butterfly. Lightning strikes — whether that’s a new product, a shift in market demand, or a change in overall strategy — and a metamorphosis occurs.

 For us, that moment was the collective shift to remote work brought on by the COVID-19 pandemic, which brought us a slew of new customers from around the world. Millions of people were now using Zoom, all with their own unique needs and requirements — and that posed a different set of security challenges.

Our security framework now had to scale alongside the business, and we had to transform our practices in a thoughtful, yet future-proofed way. To align with our growing organization and enable effective security for customers, we needed to embrace a framework to guide us through the transformation, and we learned a few things in the process. 

Here are four of those lessons:

1. Flexibility is key 

A transformation framework can drive predictability, measurability, and focus, creating stability during times of growth and change. However, it also needs to be flexible in nature — what works for a program early on may not be as relevant as an organization matures. Change is constant, and an effective transformation not only factors that in but is also tailor-made for it. 

Think of your transformation framework as a structure formed with building blocks — you can move around the blocks as needed, but they’ll always be present in one way or another. These building blocks should include cross-functional communication, ways to drive prioritization and focus, such as objectives and key results (OKRs), and measurement tactics.

2. Let prioritization guide the way 

When your organization experiences rapid scale, it’s easy to bite off more than you can chew, creating a lack of focus. While this is only natural, it’s essential that you establish a risk-based framework for prioritization, so you don’t hinder meaningful progress.

A transformation framework requires you to select both a security and measurement framework to help inform and guide program progress and effectiveness. You can use these guidelines to conduct an assessment and obtain a baseline understanding of the current state of the program. 

From there, translate this baseline assessment and further layer in risk assessments, business objectives, and compliance requirements to get a holistic view to help define focused priorities that align the security program to a shared mission and make it executable. Define your “North Star.” What are you headed toward? What are your OKRs? What does success look like? These are the questions to start asking yourself as you work to establish concrete next steps. Focusing on clear priorities helps maximize resources and therefore impact.

3. Create cross-functional communication 

We all get by with a little help from our friends, and a security team is no exception. Security initiatives aren’t possible without the support of information technology, compliance, legal, engineering, and operations teams. But you need to establish effective, cross-functional communication to truly get the help you need. 

While monthly business reviews (MBRs) are essential, we found that broader, more strategic alignment through quarterly business reviews (QBRs) with a wider, cross-functional group garners the necessary level of involvement. Since they require active engagement across an aggregate of teams, QBRs are your transformation framework’s best friend. Gather key leaders from each function together to drive clarity, awareness, and alignment around the priorities and dependencies impacting the security program objectives.

It’s vital to complement these sessions with regular communication, so get as transparent as possible when discussing the security program’s progress with the right stakeholders. Speak with governing bodies, such as the board of directors, to set expectations and enable broader awareness of the program’s current state and initiatives. This helps garner buy-in and sets expectations for your program’s current direction while ensuring stakeholders don’t feel caught off guard.

4. Measure, then reassess

Once priorities and metrics are established, measuring your progress is important. And then measure again, and again.

Many security teams choose to measure progress on a monthly or quarterly basis, depending on the maturity and needs of their programs. Regardless of cadence, security organizations should aim to answer the following questions when measuring program progress:

  • Are the objectives still in alignment with business priorities and risks?
  • Do the objectives need to be changed based on new business priorities or risks?
  • What is the measurable progress against each key result supporting the metric?
  • Are changes required to set more realistic or achievable objectives?

Continuous measurement provides a realistic picture of progress, indicating what’s working and what’s not — and why — within your program. But measurement is irrelevant if it’s not acted upon.

As your business and its risk profile continue to change, measurement followed by replanning helps you keep pace. Embrace the change by allowing your program to reevaluate its risk-driven priorities, and redefine what matters most at that period of time. Flexible goals foster realistic outcomes.

Change creates opportunities for growth

There is no one-size-fits-all approach to guiding a security program through a major transformation. What works for one company may not work for another — start by embracing a framework that you think fits your organization’s needs and be open to adjusting as you go. Remain open-minded and flexible, as your security program is only going to continue to evolve over time.

Change can be treated as either a challenge or an opportunity — react accordingly when the time for transformation comes. By complementing transformation with a framework, your security program can scale to meet the changing needs of the business. Uncertainty can become agility, future-proofing your business and preparing it for future challenges. 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.