Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Governance Outlook
12/11/2024
Expanding cybersecurity threats and pressures to innovate and adopt new technologies such as artificial intelligence (AI) demand robust governance practices, increased board engagement, and greater technology fluency in the boardroom.
Technology-driven pressures are typically in conflict and can undermine each other. For example, in 2020, the World Economic Forum published a dire warning that companies must transform digitally to remain competitive. On the other hand, security risks remain pervasive with attackers exploiting new vulnerabilities while continuing to take advantage of poor security hygiene across the ecosystem. These converging realities create dissonance and anxiety, leaving boards struggling to find the right balance.
At the heart of transformation is a seemingly irreconcilable tension between security, speed of execution, and innovation—between the need to quickly counter competitive pressure versus exerting greater control to combat cyber threats. Essentially, organizations face two competing imperatives—innovate at a faster pace to beat the competition while avoiding being fodder for front-page, security-breach headlines. Managing this paradox could not be more vital and demands a balanced approach.
Fortunately, there is a solution to this dilemma for boards and top management hiding in plain sight. Technology and security functions must complement aspiration and execution, and a modern, proven synthetic approach already exists.
The following steps outline how companies can improve performance and remain competitive by successfully blending transformation and security:
Cultural Synthesis: Synthesize the culture into one that joins security and innovation without distinction and encode this new culture and playbook as the core of the organizational strategy.
Lean Methods and Organizational Architectures: Adopt the lean, agile, methods-first approach to accelerate delivery.
Single-Threaded Leaders: Establish small, customer-facing technology teams that include both security and business experts and are led by a single, responsible manager.
Cloud Computing: Use a public cloud with readily available tools to establish security and compliance guardrails to provide for rapid, low-cost experimentation.
Organization: Organize and promote single-threaded leaders who can drive rapid and highly secure innovation.
Measurement: Develop metrics at the board level to document improvements in speed to market, lower costs, and improve the organization's security posture with a concomitant return on investment.
Research on transformation failures suggests that most efforts fail due to the organization’s culture, squarely placing accountability and responsibility with top leadership. In line with their fiduciary duties, corporate directors play a key role in the creation of a corporate culture capable of securing innovation that achieves the organization’s strategic goals.
Given that “89% of corporate boards say digital is embedded in all business growth strategies, but only 35% of organizations are on track to achieve digital transformation goals,” boards must close this capability and culture gap by carefully influencing the methods adopted by management to promote digital transformation as a top-tier imperative. However, board prioritization alone isn’t enough.
The historical tension between rapid digital innovation and the risk-averse approach commonly employed by many security teams is not without merit. Going back to the 1990s, innovation and profitability were the sole focus of the emerging digital technology experiences, and security was an afterthought. Only after threats emerged did organizations react, and this reactive pattern made security a bolt-on activity. This approach persists and profoundly influences a contentious interplay between security and innovation, a choice between going fast or moving cautiously (See Figure 1). Many believe that a trade-off has to be made: innovate, move fast, or stay secure—pick only two.
 |
Copyright © 2024, Amazon Web Services
However, imagine a reality where embedded and automated security emerges with product releases. In theory, this possibility has always existed but has yet to be widely pursued. Today there are prescriptive methods for secure, speedy product creation at scale with demonstrable business benefits. We can have our cake and eat it too!
Organizations must commit to a cultural makeover from top to bottom to succeed. The first principle is to establish security and innovation as equal partners. This means the organization will simultaneously pursue rapid innovation and robust cybersecurity as a board-level imperative.
Security and innovation become the organization’s digital North Star, influencing all investment and strategic decision-making. With an established culture, 50 percent of the transformation journey is complete. To monitor cultural change, boards can ask senior management to measure employee satisfaction, productivity, and product delivery speed to assess the results of moving a company culture toward emphasis on speed and security. While the journey's second half may require additional structural change, industry statistics demonstrate that the alternative to changing corporate culture is a fall from competitive strength, stasis, and inevitable decline.
The fundamental element underpinning the principle of security and innovation is organizational architecture. Architecture implies the broadest business sense of meaningful changes to an organization's operating model, including culture, processes, and tools (See Figure 2).
The decoupling of the organizational architecture enables small teams to take ownership of discrete software projects using agile methods while facing and serving customers. This local, decomposed ownership drives accountability and enriches customer interaction. Quality, satisfaction, and security improve as agility plays out across each digital product and service. Additionally, smaller teams innovate more quickly, are unbounded by other teams, and create more secure products through their specialized knowledge and customer-driven diligence.
 |
Copyright © 2024, Amazon Web Services
To succeed with security and innovation, promoting single-threaded leaders, leaders who are 100 percent dedicated and accountable to a specific product or solution, is often the most effective approach. Logically grouped, these leaders maintain ownership of their team’s work, and each leader is accountable for business outcomes and can make resource and prioritization decisions (See Figure 3).
 |
Copyright © 2024, Amazon Web Services
Armed with the vital tools of synthesis, agility, and cloud computing, single-threaded leadership combines these elements to establish the organizational basis, direction, and permission to act as ongoing: the easy button that smooths the tension between security and innovation.
This process is not effortless, but the approach of blended agile teams composed of development, product management, and security professionals led by a single-threaded leader deliver better results, dissolving the tension between security and innovation. This approach simultaneously assures the organization’s digital future and creates a position of strength and competitive advantage.
Since adoption of agile/lean methods and the required changes to organizational structure can be seen as radical, board governance efforts should focus on management's measurement and reporting on the effectiveness of the changes implemented. How has management documented the increase in productivity, quality, and employee satisfaction driven by the change? How have quality and security defect escape metrics changed as a result? Is there a traditional return-on-investment measurement that validates the changes made?
In addition, directors can explore how the overall systemic risk and cybersecurity posture of the company has changed by driving its digital transformation. How can the relative changes to these risks be measured over time and expressed concisely for understanding by investors and in public filings?
Public cloud computing is arguably the most significant development in business transformation, security, and innovation enablement since the inception of the commercial Internet. With the cloud, benefits like a pay-as-you-go computing model and bundled services allow for low-cost, fail-fast experimentation combined with security and governance excellence.
Using the agile methods and processes discussed previously, organizations can use cloud technologies to accelerate business outcomes, generate deeper insights through data, develop new markets, and outpace their competition—with both security and innovation. For example, companies like GE, Netflix, and Capital One adopted a cloud-first, digital-native approach that completely transformed their digital business operations, positioning them as leaders in their verticals.
Combining product management, design, development, and security into customer-facing agile teams has been proven to improve delivery speed, security, cost control, and team-member retention (See Figure 4).
 |
Copyright © 2024, Amazon Web Services
The security and innovation approach spans IT operations, third-party development activities, and cybersecurity. With a revised set of roles in the organization, the CISO function and the security team are responsible for the many routine activities needed to establish standards, stay secure, and comply with various regulatory requirements. The CISO team can also develop automated, self-service security services and guardrails that each agile team can deploy. The goals of the central and distributed team members remain the same, which are to
proactively reduce the attack surface of the organization,
make security work as a seamless part of the development process, and
remain ready to change methods, tools, and tactics to stay secure as the threat environment evolves.
All of the major cloud platforms make this continuous evolution relatively simple by providing tools and technologies that automatically protect computers, software development pipelines, and data assets in an adaptive manner.
The embedded security team members assigned to each agile team should still be responsive to the CISO organization but should remain most intently focused on delivering value to their team’s customers.
Using the security and innovation approach, some well-established models drive innovation and digital transformation at scale. The cost of building new products and services with small agile teams is much lower using cloud technologies, rendering older IT technologies uncompetitive. Because small, customer-facing teams given significant autonomy can fail, and succeed, quickly, they can also create customer value more quickly and sustain incremental improvements more rapidly over time.
It is no longer acceptable for companies to adopt traditional management approaches to product and service development. A forward-thinking board should urge management to become educated on lean, secure innovation methods using cloud technologies and clearly recommend a strategic approach to remain competitive.
Are security and innovation embedded in the corporate strategy as twin pillars which are explicitly understood and intentionally supported by the board?
Do we have the right culture and structure to achieve our transformation goals? Are we fostering the combination of hearts and minds based on core values and building the right competencies? Does the board measure and oversee change management risk?
How well do we recognize and address the underlying tension between cybersecurity and innovation within our organization, and how well is this balance integrated into our approach? Is our CISO positioned for transparency and success? Is our cybersecurity and innovation strategy aligned to our overall organizational strategy?
What is the role of the public cloud in our digital transformation and technology operations? Do we understand and will we adopt the cloud's more profound benefits in our transformation strategy?
Is our transformation succeeding? Are we prepared to adopt technologies like AI? How well can our infrastructure, skills, and governance support innovation? Are we trying to run before walking—before modernizing to support rapid innovation?
Expanding cybersecurity threats and pressures to innovate and adopt new technologies such as artificial intelligence (AI) demand robust governance practices, increased board engagement, and greater technology fluency in the boardroom.
Technology-driven pressures are typically in conflict and can undermine each other. For example, in 2020, the World Economic Forum published a dire warning that companies must transform digitally to remain competitive. On the other hand, security risks remain pervasive with attackers exploiting new vulnerabilities while continuing to take advantage of poor security hygiene across the ecosystem. These converging realities create dissonance and anxiety, leaving boards struggling to find the right balance.
At the heart of transformation is a seemingly irreconcilable tension between security, speed of execution, and innovation—between the need to quickly counter competitive pressure versus exerting greater control to combat cyber threats. Essentially, organizations face two competing imperatives—innovate at a faster pace to beat the competition while avoiding being fodder for front-page, security-breach headlines. Managing this paradox could not be more vital and demands a balanced approach.
Fortunately, there is a solution to this dilemma for boards and top management hiding in plain sight. Technology and security functions must complement aspiration and execution, and a modern, proven synthetic approach already exists.
The following steps outline how companies can improve performance and remain competitive by successfully blending transformation and security:
Cultural Synthesis: Synthesize the culture into one that joins security and innovation without distinction and encode this new culture and playbook as the core of the organizational strategy.
Lean Methods and Organizational Architectures: Adopt the lean, agile, methods-first approach to accelerate delivery.
Single-Threaded Leaders: Establish small, customer-facing technology teams that include both security and business experts and are led by a single, responsible manager.
Cloud Computing: Use a public cloud with readily available tools to establish security and compliance guardrails to provide for rapid, low-cost experimentation.
Organization: Organize and promote single-threaded leaders who can drive rapid and highly secure innovation.
Measurement: Develop metrics at the board level to document improvements in speed to market, lower costs, and improve the organization's security posture with a concomitant return on investment.
Research on transformation failures suggests that most efforts fail due to the organization’s culture, squarely placing accountability and responsibility with top leadership. In line with their fiduciary duties, corporate directors play a key role in the creation of a corporate culture capable of securing innovation that achieves the organization’s strategic goals.
Given that “89% of corporate boards say digital is embedded in all business growth strategies, but only 35% of organizations are on track to achieve digital transformation goals,” boards must close this capability and culture gap by carefully influencing the methods adopted by management to promote digital transformation as a top-tier imperative. However, board prioritization alone isn’t enough.
The historical tension between rapid digital innovation and the risk-averse approach commonly employed by many security teams is not without merit. Going back to the 1990s, innovation and profitability were the sole focus of the emerging digital technology experiences, and security was an afterthought. Only after threats emerged did organizations react, and this reactive pattern made security a bolt-on activity. This approach persists and profoundly influences a contentious interplay between security and innovation, a choice between going fast or moving cautiously (See Figure 1). Many believe that a trade-off has to be made: innovate, move fast, or stay secure—pick only two.
 |
Copyright © 2024, Amazon Web Services
However, imagine a reality where embedded and automated security emerges with product releases. In theory, this possibility has always existed but has yet to be widely pursued. Today there are prescriptive methods for secure, speedy product creation at scale with demonstrable business benefits. We can have our cake and eat it too!
Organizations must commit to a cultural makeover from top to bottom to succeed. The first principle is to establish security and innovation as equal partners. This means the organization will simultaneously pursue rapid innovation and robust cybersecurity as a board-level imperative.
Security and innovation become the organization’s digital North Star, influencing all investment and strategic decision-making. With an established culture, 50 percent of the transformation journey is complete. To monitor cultural change, boards can ask senior management to measure employee satisfaction, productivity, and product delivery speed to assess the results of moving a company culture toward emphasis on speed and security. While the journey's second half may require additional structural change, industry statistics demonstrate that the alternative to changing corporate culture is a fall from competitive strength, stasis, and inevitable decline.
The fundamental element underpinning the principle of security and innovation is organizational architecture. Architecture implies the broadest business sense of meaningful changes to an organization's operating model, including culture, processes, and tools (See Figure 2).
The decoupling of the organizational architecture enables small teams to take ownership of discrete software projects using agile methods while facing and serving customers. This local, decomposed ownership drives accountability and enriches customer interaction. Quality, satisfaction, and security improve as agility plays out across each digital product and service. Additionally, smaller teams innovate more quickly, are unbounded by other teams, and create more secure products through their specialized knowledge and customer-driven diligence.
 |
Copyright © 2024, Amazon Web Services
To succeed with security and innovation, promoting single-threaded leaders, leaders who are 100 percent dedicated and accountable to a specific product or solution, is often the most effective approach. Logically grouped, these leaders maintain ownership of their team’s work, and each leader is accountable for business outcomes and can make resource and prioritization decisions (See Figure 3).
 |
Copyright © 2024, Amazon Web Services
Armed with the vital tools of synthesis, agility, and cloud computing, single-threaded leadership combines these elements to establish the organizational basis, direction, and permission to act as ongoing: the easy button that smooths the tension between security and innovation.
This process is not effortless, but the approach of blended agile teams composed of development, product management, and security professionals led by a single-threaded leader deliver better results, dissolving the tension between security and innovation. This approach simultaneously assures the organization’s digital future and creates a position of strength and competitive advantage.
Since adoption of agile/lean methods and the required changes to organizational structure can be seen as radical, board governance efforts should focus on management's measurement and reporting on the effectiveness of the changes implemented. How has management documented the increase in productivity, quality, and employee satisfaction driven by the change? How have quality and security defect escape metrics changed as a result? Is there a traditional return-on-investment measurement that validates the changes made?
In addition, directors can explore how the overall systemic risk and cybersecurity posture of the company has changed by driving its digital transformation. How can the relative changes to these risks be measured over time and expressed concisely for understanding by investors and in public filings?
Public cloud computing is arguably the most significant development in business transformation, security, and innovation enablement since the inception of the commercial Internet. With the cloud, benefits like a pay-as-you-go computing model and bundled services allow for low-cost, fail-fast experimentation combined with security and governance excellence.
Using the agile methods and processes discussed previously, organizations can use cloud technologies to accelerate business outcomes, generate deeper insights through data, develop new markets, and outpace their competition—with both security and innovation. For example, companies like GE, Netflix, and Capital One adopted a cloud-first, digital-native approach that completely transformed their digital business operations, positioning them as leaders in their verticals.
Combining product management, design, development, and security into customer-facing agile teams has been proven to improve delivery speed, security, cost control, and team-member retention (See Figure 4).
 |
Copyright © 2024, Amazon Web Services
The security and innovation approach spans IT operations, third-party development activities, and cybersecurity. With a revised set of roles in the organization, the CISO function and the security team are responsible for the many routine activities needed to establish standards, stay secure, and comply with various regulatory requirements. The CISO team can also develop automated, self-service security services and guardrails that each agile team can deploy. The goals of the central and distributed team members remain the same, which are to
proactively reduce the attack surface of the organization,
make security work as a seamless part of the development process, and
remain ready to change methods, tools, and tactics to stay secure as the threat environment evolves.
All of the major cloud platforms make this continuous evolution relatively simple by providing tools and technologies that automatically protect computers, software development pipelines, and data assets in an adaptive manner.
The embedded security team members assigned to each agile team should still be responsive to the CISO organization but should remain most intently focused on delivering value to their team’s customers.
Using the security and innovation approach, some well-established models drive innovation and digital transformation at scale. The cost of building new products and services with small agile teams is much lower using cloud technologies, rendering older IT technologies uncompetitive. Because small, customer-facing teams given significant autonomy can fail, and succeed, quickly, they can also create customer value more quickly and sustain incremental improvements more rapidly over time.
It is no longer acceptable for companies to adopt traditional management approaches to product and service development. A forward-thinking board should urge management to become educated on lean, secure innovation methods using cloud technologies and clearly recommend a strategic approach to remain competitive.
Are security and innovation embedded in the corporate strategy as twin pillars which are explicitly understood and intentionally supported by the board?
Do we have the right culture and structure to achieve our transformation goals? Are we fostering the combination of hearts and minds based on core values and building the right competencies? Does the board measure and oversee change management risk?
How well do we recognize and address the underlying tension between cybersecurity and innovation within our organization, and how well is this balance integrated into our approach? Is our CISO positioned for transparency and success? Is our cybersecurity and innovation strategy aligned to our overall organizational strategy?
What is the role of the public cloud in our digital transformation and technology operations? Do we understand and will we adopt the cloud's more profound benefits in our transformation strategy?
Is our transformation succeeding? Are we prepared to adopt technologies like AI? How well can our infrastructure, skills, and governance support innovation? Are we trying to run before walking—before modernizing to support rapid innovation?
Lex Crosett is an enterprise technologist at Amazon Web Services (AWS) and has been an executive advisor to enterprise customers at both AWS and Google Cloud since 2015. Prior to working for AWS and Google Cloud, Crosett had a more than 30-year career as a C-level leader of technology teams and growth companies. Crosett holds the NACD.DC® and has been named a Boardroom Qualified Technology Expert by the Digital Directors Network.
As a board and executive advisor, Stephen Kraemer advocates for culture and leadership as the foundations of organizational success. His 30-year leadership career spans verticals such as transport and logistics, retail, health care, software development, scientific research, security, and government. Nearly half of his career was spent internationally in Oceania and in challenging locations such as Antarctica and Central Asia.
Kraemer holds the NACD.DC®, has been named a Boardroom Qualified Technology Expert by the Digital Directors Network, and holds two ISC2 security professional certifications.
About AWS
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, offering more than 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing start-ups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
This article is part of the 2025 Governance Outlook report that provides governance insights for the year ahead.
