Why many security transformation projects fail

How proper project management can help you transition to a secure environment ‒ and how to apply its processes to cybersecurity.

Fabian Faistauer
Director, Head Cybersecurity Technology & Transformation, PwC Switzerland

Oliver Schönenberger
Senior Manager, Cybersecurity and Privacy, PwC Switzerland

Cybersecurity is a complex endeavour undertaken in a rapidly changing environment. The trouble is that cybersecurity projects are often seen as a mere exercise in technology, there is a failure to manage the people and organisational aspects properly. In this blog post we look at how the right approach to security transformation management can ensure that cyber projects are brought to a successful conclusion.

Businesses are increasingly dependent on IT infrastructure to run their overall operations. With the current cyber threat landscape prompting many organisations to invest significant resources in security transformation and improving their cybersecurity, IT security projects have increased exponentially.

Cyber is no longer seen as a matter for CISOs alone. According to PwC’s 2023 Digital Trust Insights, more than half of CEOs are now demanding better cybersecurity transformation management. Board members are themselves ready to learn about cyber to understand the threats and align their management to the security goals.

Attaining these goals means not only having the relevant security transformation skills and techniques, but also making sure that there are people within the company who are trained to manage security transformations.

Cybersecurity and Privacy

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

What is security transformation management?

Doing successful business in a rapidly evolving environment requires agility and the ability to adapt quickly to change. You can only respond effectively if flawless processes are in place, clear responsibilities have been laid down, and you’re able to stay on top of multiple factors throughout the whole process. When it comes to cybersecurity, however, the environment is so fast-paced that not all the relevant factors are apparent at first glance. It can be difficult to clearly identify the major elements of the change.

The problem is compounded by the fact that cybersecurity projects are often seen as minor transformations primarily involving new technology. There’s a failure to consider the overall impact on the organisation and its employees. The result is that cyber transformations are often poorly managed and don’t achieve the desired goals.

This is where security transformation management comes in. The aim is to understand a company’s cybersecurity posture and identify the elements that should be given priority. It’s a process of initiation, planning, execution and closure that assures successful accomplishment of the project goals without disregarding the organisation’s employees.

Why is security transformation management critical?

The role of security organisations should be to apply innovative technologies to protect the company in a constantly changing environment. In the past, however, IT organisations have often focused on cutting costs rather than investing in innovation. The result? Companies have often put too few resources into security solutions. The consequences in the event of a cyber-attack can be catastrophic. In such situations, many companies try to implement new solutions as quickly as possible without any plan or strategy. As a result, many security projects fail before they even get started. There are many reasons for this:

Misaligned leadership

Misaligned leadership leads to biases towards the project, resulting in a lack of sponsorship and support. This will ultimately be felt by the employees who are part of the project.

Poor planning, undefined goals & strategy

The scope and the budget are not appropriately defined, and the goals of the project are not aligned with the overall business strategy.

Lack of methodologies & processes

There is no use of appropriate project methodologies, and no processes are in place to properly set up and conduct the security transformation.

Unprepared people

Employees were not upskilled or reskilled prior to the transformation and are now out of their depth. They are disconnected from the transformation, as they feel it will create more inconvenience in their daily processes.

This is where security transformation management comes in. It supports the IT and/or security organisation by professionally transforming its business to the next level. It makes sure that the key stakeholders are involved from the beginning, and introduces project management skills, techniques and methods into the cybersecurity environment. Security transformation management is one of the keys to fostering innovative technologies in security organisations.

How do you approach security transformation?

Assuring a successful security transformation means resolving the issues that result in failure by making sure a number of supportive factors are in place. The main factors that have to be monitored vary from transformation to transformation. The key factors to monitor are:

Effective security transformation ensures that the correct factors are monitored throughout the changeover. This is done by adopting and delivering different phases from frameworks and models inspired by project management methodologies:

First there is an initiation phase to define the needs and scope of the transformation.

Then the planning phase helps determine the correct scheduling of each milestone in the project.

The execution/delivery phase is where the work is actively undertaken by the team.

In the final closure phase of the project, the results are compared with the goals set during the initiation phase.

It’s also essential to constantly monitor deliverables throughout the execution phase. This is only possible with proper project management.

People are a crucial part of the security transformation

When conducting a transformation project, the human factor is often forgotten. Given the utmost importance of people in cybersecurity, one of the aims of security transformation is to involve them in the transition. A potential problem is that the people affected by the transformation might not respond positively or have the necessary training to cope with the change. So it’s key for the security staff and its customers to be comfortable with the new security technologies and their benefits for the whole organisation.

Another important aspect is the collaboration between the different functions within the security organisation. Security architecture, engineering and the operations centre, for example, need to engage closely and actively propagate new innovative security solutions for the benefit of the whole organisation.

How do you measure the success of your security transformation?

The success of your security transformation can only be validated if the project itself is a triumph. This means the success factors of the transformation (outlined above) have to be defined and monitored throughout the entire journey.

Success is only possible if there’s effective communication between the project manager and the team; and all the relevant stakeholders are kept informed of the overall progress. Even more importantly, a security transformation can only succeed if senior management gives the change its support. This is especially true in cybersecurity, as most employees dread the idea of having to leave their comfort zone and have their technology upgraded.

The outcomes of a solid security transformation can be categorised as follows:

Strategy alignment

A security transformation assures strategic alignment with business requirements (for example it supports strategic initiatives such as the journey to the cloud).

Risk reduction

The security transformation reduces the attack surface of the business (e.g. through better identification of vulnerabilities).

Resource management

Proper use is made of people and technology.

Value delivery

The project adds value to the business.

Measurable KPIs

Metrics are developed to determine performance and improve it.

All this means that security transformation has to start before execution of the project has even begun. It continues beyond closure to ensure that management and staff are comfortable maintaining it.


Get in touch

Please reach out to us if you’re interested in learning more about our security transformation capabilities. We practise what we preach within our own organisation, and our team will be happy to support you in your own security transformation.


Building trust to succeed

Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.

Explore our offering

Contact us

Fabian Faistauer

Fabian Faistauer

Director, Cybersecurity Technology & Transformation, PwC Switzerland

Tel: +41 58 792 13 33

Oliver Schönenberger

Oliver Schönenberger

Senior Manager, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 40 17