Moving shields into position: How you can organize security to boost digital transformation

If you want to get stronger, you can’t just lift weights for a few months and then call it quits. You have to build your muscle density and stamina, refine your workouts, change your diet, and allow your end goal — improved strength — to become a guiding principle.

If you don’t use it, you lose it.

Transformation should be seen in a similar light: It’s a muscle that needs to be exercised according to an ongoing plan, so that you can serve customers at greater scale, lower cost, and increasing levels of quality and satisfaction.

Despite all that’s been said about digital transformations, they’re challenging to execute well. Too often, the transformation journey is seen as an end goal, like nailing a personal record on a bench press. Organizations also struggle with two very real questions:

1. How can we use the experience of other organizations who have undertaken successful transformations to guide our experience?
2. What are the steps that a pre-transformation organization should take to achieve and maintain a viable, resilient, transformed state?

The ability to react quickly and successfully to changes, from customer preferences to security threats, is a vital skill — or muscle — that can only be built up through transformation programs.

At Google, we believe organizations can build the muscle to adapt to change, and it starts with people. Organizations stand a good chance of succeeding at their transformations (and everything else that happens during and after) when they change how their employees are structured, organized, and motivated, and how information flows through them and the organization as a whole.

We’ve now published the cumulative lessons from thousands of hours we’ve spent helping our customers build teams that successfully deliver transformation — and thrive when things change in a new report, “Organizing Security for Digital Transformation,” to help even more organizations develop this vital yet complicated muscle.

Structural change through security metamorphosis

What organizations should focus on is building a resilient team who can navigate the changes that are going to keep coming as they push into the cloud.

We’ve found that while many organizations do succeed in introducing amazing new cloud technologies, they often struggle tuning their organization structure in ways that accelerate their path to the Cloud.

Many organizations know this, too, and their CISOs often ask how they should best structure their organization to efficiently and effectively secure cloud infrastructure and services — new scope to many existing programs. To answer this question, we usually engage in a workshop focused on organization transformation. It can take months to complete, but the results are transformative.

The process is comprehensive and holistic. We gather as much data as we can about the organization using many techniques including:

• Conduct surveys of employees and leaders
• Interview stakeholders from across the business
• Study the organization’s goals and goal-setting processes
• Analyze its risk and change appetite
• Dive deep into budgets, organization charts, governance processes, and culture plans

We evaluate the results of this work and combine it with data gathered during our DevOps Research and Assessment to provide specific recommendations on how CISOs and security leaders should adjust teams to take advantage of their new speed and scale. From our work (and to no one’s surprise), it takes more to modernize a security organization than just adopting new technologies.

This starts with setting clear goals and a focus on:

1. Organization (the “Who” of change): Who in the organization is going to be involved in the changes, what are they responsible for, how do they work with other teams, what do we expect from them in the future, and does our culture support these changes?
2. Operations (the “How” of change): How do we produce value for customers today and how do we expect to produce value during and after we make these changes?
3. Technology (the “What” of change): What technologies do we need to support delivery of these new services, what processes do they impact, how will they be used, and who will use them?

We also call this OOT (Organization, Operations, and Technology) and it’s more than a cute noise an owl might make. We find that OOT challenges the conventional approach in traditional organizations where technology choices often precede organizational adaptation. The order matters, because to do transformation correctly we must start with people, the lifeblood of every organization.

The four phases of organizational change

The four phases of organization transformation — experimentation, dissolution, transformation, and integration — provide a guide on how to think about measuring progress and overcoming setbacks. The journey through the four phases isn’t necessarily linear, so it can be helpful to periodically evaluate where you are in the process.

For example, while there may be a desire to reach the Integration stage quickly, we have found that the organizations who get there and experience the most success have almost always spent time going back and forth in earlier stages, fine-tuning their organization and operating model.

Since change is a constant, an organization that’s been in Integration for too long could be a sign that disruption is needed to achieve even greater outcomes. Organizational changes can be hard, but they are worth it in the end.

Organization security for digital transformation

Ultimately, our guide can help security leaders to understand their organization and operating model, to help optimize it, and to drive it to operate at the speed, scale and quality that high-performing product teams demand. Security leaders can use the chart below as a map for self-assessment, to set goals, make organizational changes, distribute responsibilities, and communicate to senior leadership when discussing changes.

Not every organization will look the same — the organization is a reflection of how a company makes decisions (especially its leadership's appetite for change and risk). That said, we believe high-performing security organizations look substantially different from their on-premises counterparts.

Responsibilities are distributed to fewer teams, who work closely with Platform and Product teams, to deliver secure products (not just security products) and defend the organization from threats faster and better than before.

Building towards generative cultures

Finally, we suggest that building a strong organization with the muscle to adapt continuously to change requires more than just a strong leader and new organization charts. Building culture, especially a generative one, is critical to short-term gains and long-term success in organizational security for digital transformation.

That culture, characterized by high trust, information flow, and shared responsibility, may be a departure from the hierarchical and siloed structures prevalent in traditional organizations. In this new report, we present evidence that CISOs can use to cultivate a generative culture that’s essential for fostering collaboration, innovation, and adaptability, and ultimately for modernizing security into the future.

For more details, you can read Organizing Security for Digital Transformation here.