How to make a large scale Cybersecurity Transformation journey achievable?
In one of my earlier blogs on How to deliver Cybersecurity Transformation, I received several questions. The questions were mainly on how to make the Cybersecurity transformation journey achievable? Hence, this blog post explains my approach to achieving the large scale Cybersecurity transformation.
Delivering a large scale Cybersecurity transformation involves solving a complex unstructured problem. This blog neither covers nor advocates any specific project management practice. For a successful delivery, disciplined project management practice is a must-have; whether you follow waterfall or agile methodology. This blog post covers mostly problem-solving aspects from the Cybersecurity angle.
Fight the kick-off inertia: When the problems are complex, unstructured and enterprise-scale, the key hindrance is what I call a “kick-off inertia”. Need to start the action somewhere. I don’t mean to say start solving the problem on day one. But, start the first step today.
Get an executive sponsor and board support: Cybersecurity initiatives are not mere technology rollouts. For it to succeed, need cross-functional support across the enterprise. The way to achieve this is via an executive sponsor having board-level influence. It is also important to get commitment from the sponsor to spend a couple of hours a month with you reviewing the progress and helping to unblock hurdles.
Manage stakeholders: When it comes to a brand new set-up, everyone has their opinion. Especially when it comes to the unstructured problem (the new setups generally fall into this category), no one is clear, and the confidence level is low. Hence, there would be more negative emotion as compared to a positive vibe. Also, people would have their picture of the future. Something similar to the story of six blind men describing an elephant!
Define problem statement clearly: Jumping into a solution without defining the problem will be disastrous and a recipe for failure. When solving an unstructured problem, stakeholders need your help defining the problem. So, by all means, help shape the problem definition. While you might know what to solve, you must take your stakeholders along with you. If the stakeholders are not aligned with your problem definition (how much ever accurate it is), the probability of your delivery resulting in benefits is extremely low.
Break down the problem: Break down the enterprise-scale unstructured problem into smaller manageable problems that can easily be visualized. This is an iterative activity till you reach a point where you can’t break down the problem further.
Be SMART: The problem statement needs to be specific. Generic and open-ended problem statements are easy to formulate but will get you nowhere. The recommendation is to follow SMART guidelines (Specific, Measurable, Achievable, Realistic, and Timely) when formulating a problem statement.
Don’t fall into the analysis-paralysis trap: When it comes to solving an unstructured problem, it is easy to fall into the analysis-paralysis trap. What I mean is that we can go on analysing the problem forever without reaching a meaningful conclusion. Ensure that you don’t fall into this trap. One of the ways to achieve this is via “timeboxing” the analysis stage.
Set up Governance structure: For some, Governance is a “dry” aspect of the “exciting transformation journey”. Of course, solving an unsolved and unstructured problem is the interesting part of the journey. But, don’t undermine the power of governance. Especially when dealing with a large number of stakeholders (very much relevant for Cybersecurity transformations ), the right level of governance is a must-have. Else, for sure, how much ever-powerful your tech solution is or the best class, the transformation is set to fail.
Communicate and keep the stakeholders updated: Although this is an essential part of the Governance, I am calling out this specifically because one of the key reasons for project failure is the lack of the right level of communication. The stakeholders need to know what is working well, what is not and how best they can help. Hence, periodic communication is a must-have for a successful Cyber transformation.
Keep track of the degree of uncertainty: As we traverse through the active Cybersecurity transformation journey, the degree of uncertainty is expected to decrease. As a result, stakeholder confidence is expected to increase. Make full use of this! At the same time, be aware of where you are on this journey. The graph below gives an indicative sense of the degree of uncertainty of unstructured problem resolution Vs Transformation journey. I call this a Cyber Journey Graph. Note that extrapolation will differ from organization to organization as well as the scale of Cyber transformation.
Plan operationalization from day 1: Projects can’t run forever. The key reason why projects exist is to solve the unstructured problems and convert the problem into repeatable operational steps. The moment the degree of uncertainty comes down to a manageable level wherein, we can set up repeatable process steps- the project needs to transition to BAU (Business As Usual) Operations.
While nothing is wrong with running the projects forever, but it will be a waste of costly project resources, which can be redeployed for maximum returns. The moment project teams start performing repeatable tasks with no end date, they turn into Operations by definition. This is also the point of diminishing returns.
Conclusion: Delivering large scale Cybersecurity transformation into a fully stable BAU Operations is generally a multi-year endeavour (not to say that the delivery can’t be managed within a year). The enterprise-scale delivery translates to a complex unstructured problem with multiple unknowns. As we traverse through the journey, the grey areas transform into known territories. With disciplined programme/project management, the Cybersecurity transformation is very much achievable.