Skip to content

Implementation Guide: Challengers

Position Characteristics

Challengers occupy the Complex + Low Readiness quadrant:

  • High operational complexity (100+ engineers, multiple products/services)
  • Legacy infrastructure (manual processes, limited automation, technical debt)
  • Resource constraints (security team stretched thin, competing priorities)
  • Transformation imperative (current state unsustainable at scale)
  • Highest transformation risk (two-axis movement required)

The Challenger Reality

This is the most difficult transformation journey. You must simultaneously: - Reduce operational burden (can't maintain current manual load) - Increase automation (while systems resist automation) - Maintain operations (can't stop to renovate) - Navigate organizational resistance (change is hard)

Critical Truth: Two-axis movement (complexity + readiness) has high failure risk. Success requires strategic sequencing, executive support, and realistic timelines.

Strategic Priorities

1. Stabilize Before Transforming

Don't attempt transformation while drowning in operational work.

First Priority: Achieve operational stability - Constrain BAU growth (say no to low-value work) - Automate or eliminate highest-burden activities - Build breathing room for strategic work - Secure executive support for transformation

Investment Focus: - Quick automation wins (eliminate repetitive manual work) - Tool consolidation (reduce operational overhead) - Relationship building with engineering (you'll need their help) - Documentation of current state (know what you're transforming from)

Timeline: 6-12 months before major transformation begins

2. Choose Your Transformation Path

Two possible strategies, each with different tradeoffs:

Path A: Reduce Complexity First (Move toward Niche Players) - Strategy: Simplify operations while modernizing what remains - Examples: Consolidate products, retire legacy systems, reduce scope - Advantages: Easier transformation, clearer focus, faster progress - Challenges: May require difficult business decisions, potential revenue impact - Timeline: 12-24 months to Niche Players, then 18-24 to Visionaries

Path B: Increase Readiness Despite Complexity (Move toward Leaders) - Strategy: Gradual modernization while maintaining complex operations - Examples: Hybrid approaches, phased rollouts, incremental automation - Advantages: Maintains business operations, no scope reduction needed - Challenges: Longest timeline, highest failure risk, requires sustained investment - Timeline: 36-60 months to Leaders (realistically)

Critical Decision Factors: - Executive support and patience (Path B requires 3-5 year commitment) - Resource availability (Path B needs significant sustained investment) - Business model (Can you reduce complexity without hurting revenue?) - Organizational change capacity (Path B requires high tolerance for disruption)

3. Execute Hybrid Transformation

Regardless of path, you'll need hybrid approaches:

Modern + Legacy Coexistence: - Modern security for new systems (cloud-native, automated) - Pragmatic controls for legacy systems (appropriate to modernization timeline) - Gradual migration (not big-bang transformation) - Clear criteria for what gets modernized when

Investment Focus: - Security automation for new systems (don't recreate manual processes) - Managed services for legacy (reduce operational burden) - Platform capabilities that serve both (unified monitoring, identity) - Clear boundaries between modern and legacy

Quick Start Checklist

Month 1-3: Stabilization

  • [ ] Document current state: operational burden, manual processes, pain points
  • [ ] Identify 3 highest-burden manual activities for elimination/automation
  • [ ] Assess relationship health with engineering teams
  • [ ] Secure executive sponsor for transformation (critical for success)
  • [ ] Map which systems are candidates for modernization vs. retirement

Month 4-6: Quick Wins

  • [ ] Eliminate or automate at least 1 high-burden manual activity
  • [ ] Implement managed security service for at least 1 capability
  • [ ] Launch relationship-building initiative with engineering
  • [ ] Define transformation path (reduce complexity or increase readiness)
  • [ ] Create high-level transformation roadmap with executive sponsor

Month 7-12: Foundation

  • [ ] Establish modern security for new systems (break legacy pattern)
  • [ ] Deploy automated security scanning for active development
  • [ ] Begin infrastructure modernization pilot
  • [ ] Measure and track operational burden reduction
  • [ ] Communicate transformation progress to stakeholders

Year 2: Transformation Launch

  • [ ] Execute on chosen path (complexity reduction or readiness increase)
  • [ ] Establish success metrics and track progress
  • [ ] Regular executive updates on transformation progress
  • [ ] Course-correct based on what's working/not working

Investment Roadmap

Path A: Reduce Complexity First (→ Niche Players → Visionaries)

Year 1: Stabilize + Plan Complexity Reduction - Stabilization (50% effort): Quick automation wins, operational burden reduction - Complexity Assessment (30% effort): What can be simplified, consolidated, retired? - Modern Security for New (20% effort): Stop recreating legacy patterns

Year 2-3: Complexity Reduction + Modernization - Simplification (40% effort): Product consolidation, system retirement, scope reduction - Modernization (40% effort): Cloud migration, CI/CD, infrastructure-as-code - Essential Security (20% effort): Maintain security during transformation

Year 3-4: Complete Transformation to Visionaries - Security Automation (60% effort): Build Visionary-level capabilities - Legacy Retirement (30% effort): Complete sunset of old systems - Optimization (10% effort): Refine and improve

Expected Outcome: Visionary positioning after 3-4 years

Path B: Increase Readiness Despite Complexity (→ Leaders)

Year 1: Stabilize + Hybrid Foundation - Stabilization (40% effort): Quick wins, operational burden reduction - Modern Security for New (40% effort): Break legacy patterns for new systems - Hybrid Strategy (20% effort): Define modern vs. legacy approach

Year 2-3: Gradual Modernization - New Systems (40% effort): Leaders-level capabilities for modern infrastructure - Legacy Pragmatism (30% effort): Managed services, appropriate controls - Platform Capabilities (30% effort): Unified capabilities serving both

Year 4-5: Complete Modernization - Legacy Migration (40% effort): Migrate remaining systems to modern platform - Leaders Capabilities (40% effort): Advanced automation, platform effects - Legacy Retirement (20% effort): Sunset old infrastructure

Expected Outcome: Leaders positioning after 4-5 years (optimistic)

Common Pitfalls

Attempting Two-Axis Movement Too Fast

Risk: Transformation failure from moving too aggressively

Symptoms: - Multiple simultaneous transformation initiatives - Team burnout from change overload - Incomplete migrations and half-finished modernization - Regression to old patterns under pressure

Solution: Sequence transformation - stabilize first, then move one axis at a time, or reduce complexity before increasing readiness

Underestimating Timeline and Resources

Risk: Transformation stalls from insufficient investment

Symptoms: - Transformation "initiatives" without dedicated resources - Security team expected to transform while maintaining BAU - Projects perpetually delayed for operational work - Executive frustration with "slow progress"

Solution: Realistic timelines (years, not months), dedicated resources, executive understanding

Recreating Legacy in Modern Infrastructure

Risk: Cloud migration without modernization

Symptoms: - "Lift and shift" cloud migration - Manual processes recreated in cloud environment - Complex security reviews for cloud deployments - Same problems, higher cloud costs

Solution: Modernize during migration, automate from start, break old patterns

Transformation Without Relationship Building

Risk: Security transformation fails from engineering resistance

Symptoms: - Security initiatives mandated without buy-in - Engineering teams bypassing security controls - Low adoption of security platforms - Adversarial relationships between security and engineering

Solution: Invest heavily in relationship building, demonstrate value, collaborative approach

Missing the Crisis Window

Risk: Transformation loses momentum without executive support

Symptoms: - Transformation deprioritized for short-term needs - Resources pulled for other initiatives - "Transformation fatigue" setting in - Reverting to old patterns

Solution: Use crisis events to secure sustained executive commitment

Success Indicators

Year 1 (Stabilization)

  • [ ] Operational burden reduced 20% through automation/elimination
  • [ ] Executive sponsor actively engaged (monthly transformation reviews)
  • [ ] Modern security deployed for new systems (not recreating legacy)
  • [ ] Relationship health improving (measured via engineering satisfaction)
  • [ ] Transformation roadmap approved with committed resources

Year 2 (Early Transformation)

  • [ ] Operational burden reduced 40% from baseline
  • [ ] Clear separation between modern and legacy security approaches
  • [ ] Measurable progress on complexity reduction or modernization
  • [ ] Team morale stable or improving (not burnout from change)
  • [ ] Regular executive updates demonstrating progress

Year 3-5 (Transformation Progress)

  • [ ] Operational burden reduced 60-80% from baseline
  • [ ] Majority of systems on modern infrastructure (or complexity significantly reduced)
  • [ ] Security automation at Visionary or Leaders level for modern systems
  • [ ] Sustainable operations (not requiring heroic effort)
  • [ ] Position movement toward Niche Players, Visionaries, or Leaders

Transformation Success Factors

Critical Requirements

  1. Executive sponsorship - CEO, CTO, or COO level champion
  2. Realistic timeline - 3-5 years for complete transformation
  3. Dedicated resources - Can't be "side of desk" project
  4. Relationship health - Engineering as partners, not adversaries
  5. Strategic patience - Resist pressure for premature timelines

Helpful Enablers

  • Crisis event creating transformation window
  • High change capacity in organization
  • Strong engineering partnership willing to help
  • Financial resources for tools, cloud migration, hiring
  • Business support for complexity reduction (if applicable)

Red Flags for Failure

  • "Transform in 12 months" expectations
  • Security team expected to transform without additional resources
  • No executive sponsor or inactive sponsor
  • Damaged relationships with engineering
  • Attempting transformation during other major changes (M&A, reorgs)

Decision Framework

Should You Reduce Complexity First?

Yes, if: - You have products/services that could be consolidated or retired - Business model supports scope reduction - Executive support for difficult decisions - Prefer faster transformation (3-4 years vs 4-5 years)

No, if: - Business model requires current complexity - Revenue tied to all current products - No viable consolidation or retirement options - Must maintain all current operations

Can You Successfully Execute Path B (Direct to Leaders)?

Realistic if: - Strong executive commitment (CEO level) to 4-5 year timeline - Significant resources available (budget, headcount, time) - High organizational change capacity - Excellent relationship health with engineering - Recent crisis event creating transformation window

Unrealistic if: - Expecting results in 1-2 years - Security team must transform while maintaining full BAU - Damaged relationships with engineering - Low change capacity or change fatigue - No crisis event or executive urgency

If Path B seems unrealistic: Choose Path A (reduce complexity first)

Next Steps

Continue to Framework Relationships Back to Niche Players Implementation

Edit this page