In 2024, Marriott received a harsh wake-up call: a federal order to restructure its security program. The order from the U.S. Federal Trade Commission followed an investigation that uncovered a string of breaches dating back to 2014, incidents that exposed the personal information of 344 million guests.
The FTC decision forced Marriott to overhaul its defenses, tightening access controls, improving vendor oversight, and carrying out ongoing testing, measures that were long overdue.
Waiting for a federal order or a breach to trigger a redesign of the policies, procedures, and controls that safeguard information, assets, and personnel is a gamble few can afford. The wiser course is to spot the warning signs early and act before cracks begin to show.
“The red flare signal that it is time to restructure a security program is most easily expressed in a single question: Is my security program effective?” says Richard Bird, CSO of Singulr AI. “The typical response — Well, we haven’t been breached — is not a measure of effectiveness,” Bird adds.
Some early warning signs include “a surge in successful attacks or near misses, tool fatigue or alert overload in the security operations center (SOC), regulatory failures, and perhaps most tellingly, a perception in the business that security is a blocker rather than a partner,” says Karim Benslimane, VP and Field CISO at Darktrace.
While there aren’t hard rules on how security programs need to be restructured, experts say there are certain priorities CSOs need to keep in mind and several mistakes they should avoid.
Turning a toxic situation around
After a major breach — or a series of them, as in the case of Marriott — it’s not uncommon for organizations to want to restructure their security programs. If the CISO is replaced, the new security leader may find themselves in an environment where trust has been eroded, teams are burned out, and relationships with board members are already under strain.
In times like these, the first decisions the new CISO makes can set the tone for everything that follows. “The new CISO should conduct a top-to-bottom review, ideally using an independent third party, to both ensure there is no other latent breaches waiting to be uncovered, and also to form a view of whether controls are sufficient and effective,” says Phil Venables, strategic security advisor at Google and former CISO of Google Cloud.
And there’s one more initial assessment the CISO must make: find out if executive leadership, including the CIO or CTO, had truly supported their predecessor. The answer to this could help them understand whether the breaches have been the former CISO’s fault or a deep sign that the organization has not invested enough in security.
Chad LeMaire, CISO at ExtraHop and former CSO in the US Air Force, agrees that understanding the root cause of the disaster is mandatory, and it should guide the next steps. Any fixes, though, risk being superficial if they’re made without that deeper context. “When the CISO has a clear understanding of the business, culture, security program, security capabilities, and investments, root cause, and team skills, then the CISO will be armed with the necessary knowledge and understanding to rebuild the security program,” he says.
Part of that knowledge can be acquired from genuinely listening to people. Chuck Herrin, field CISO at F5, recommends new CISOs spend their initial weeks on the job in listening mode before making big changes.
“I’d start with short, focused listening sessions across the business – with security teams, IT, developers, and executives,” Herrin says. “Ask questions like: What worked? Where do we get in your way? How do we show you that we’re here to partner, not block? How do you measure the value we provide to you, your line of business, and your team?”
These listening tours can help rebuild trust quickly and help systemic issues surface. And over time, they send a powerful message: the security team’s voice truly matters. “They have a lot of opinions on what just happened, and are likely nervous about the new boss coming in: Is s/he going to back us? Fire us all and bring in their own people? Throw us under the bus to curry favor with leadership?” Herrin says. “Now is the time not to assume anything but ask a lot of questions and demonstrate that you’re listening.”
From there, F5’s CISO suggests looking for small, visible wins, something that matters to the business and can be delivered quickly. It could be better reporting, streamlining a broken approval process, or closing off a glaring blind spot. “A quick, meaningful improvement proves to everyone that this leadership team is serious about change, and it sets the stage for the deeper cultural and technical work ahead,” he says.
If the team is overworked, then leaders should invest in automation, streamline processes, and involve everyone in finding efficiencies.
Restructuring the security program when technology and skills change
When revamping the security programs, CISOs can have in mind Venables’ four-phase framework, which is flexible enough to fit almost any organization. Companies can start where they are, make the changes they want, and then return to complete the remaining tasks.
Restructuring the security program should be done periodically, because technology evolves. Venables recommends CISOs “consume strategic threat intelligence” to stay updated. And he also advises them to proactively address entire classes of risks, threats, and vulnerabilities, rather than waiting for an incident to occur.
It helps if CISOs and security teams take time to examine existing plans, processes, and procedures to determine if there are any improvements or innovations necessary to strengthen defense capabilities, adds LeMaire.
Sometimes, there are tools that can be added, and tools that can be taken away. “If you can simplify your stacks and get 90% from 10 tools instead of 10% from 90, you’ll free up budget and attention for the next challenge,” LeMaire says. Meanwhile, experts point to leveraging AI-driven tools that can increase the team’s productivity and capability by “10x”, as Venables put it.
Training should also be taken seriously — supporting security teams to grow is another theme echoed by many experts in the field. “When in doubt, invest in your people,” says LeMaire. “You can’t really future-proof security, but you can build a team that can adapt.”
But beyond hiring the right talent and ensuring proper training, CISOs must also be ready to make tough personnel decisions when necessary.
“Sometimes you change the people, and sometimes you change the people,“ says Herrin. “If you have the wrong people in critical roles, you need to make changes and make them quickly. What matters most is the people and the leadership, not the tech.”
Common mistakes
Mistakes are inevitable when reworking something as complex as a security program. They usually come from not having enough support, holding on to the wrong assumptions, or underestimating how big a cultural shift is needed to make changes last.
Such big projects rarely succeed without full backing from the top, so one mistake CISOs can make is not confirming an explicit commitment to trust and support from the CEO, the CFO, and the COO of their organization. “The people who control the vision, purse strings, and operations of the organization are the champions a CISO will need when restructuring begins to inevitably and necessarily change the processes and behaviors of everyone across that organization,” Bird says.
Another common misstep, he adds, is “believing that they can will a restructuring into existence.” In reality, without strong soft skills to negotiate with leadership and rally employees behind the effort, even the best-laid plans risk falling flat.
Soft skills also help CISOs identify the right people to work with, and they should be open about the knowledge, attitudes, and adaptability they’re looking for. One mistake, though, is only hiring people with big-company experience, which can limit fresh perspectives and agility. Diverse backgrounds, whether from startups, the public sector, or unconventional career paths, can bring new problem-solving approaches that established corporate veterans might overlook. And these employees should be treated fairly.
“A tenured team without raises for several years can signal that the company is not really invested in security,” says Nick Muy, CISO at Scrut Automation. The lack of investment often pairs with unrealistic expectations for the team and questionable calls on how resources are allocated. “If the attitude is to in-house everything, that’s rarely practical for most mid-sized firms,” Muy adds. “Direct in-house resources where you need them most and leverage outsourcing or tools for the rest.”
Other common missteps in a restructuring involve tools and technology. “CISOs must avoid three key pitfalls,” says Benslimane. “Underestimating the impact of AI-powered threats, relying on static, legacy tools, and mismanaging expectations around new technologies like AI.” His suggestion is to embrace cloud-native infrastructure and bring in talent with the skills to harness AI.
Problems can also surface when CISOs focus too much on enabling the business, which often means that security takes a hit. “This can sometimes lead to a compromise between implementing robust security requirements and the company taking on more risk,” says Chad Thunberg, CISO at Yubico. “Sometimes it is important to slow down and reassess a situation or a decision to make sure the focus is on the right areas at the right time.”
In many ways, rebuilding a security program is more challenging than creating it from scratch. This is why CISOs can face intense pressure to deliver results despite the limited resources they have at their disposal, which can often lead to sleepless nights.
“When a CISO embarks on this kind of crusade, they often fail to account for the toll it will take on their relationships with their family, friends, and community,” Bird says. “Forgetting about taking care of emotional, physical, and interpersonal balance usually means the restructuring fails and swallows up all of those personal components in the blast radius as well.”
No Responses