I was recently heavily involved in an assessment project for a customer that fits the following description almost perfectly: solid tooling, mature security vision, and a strong team with people who genuinely cared about doing the right thing. Yet, as we went through the assessment, things still felt out of sync. As we dug in with the team, I kept coming back to a lesson I’ve learned a lot over the years: most security challenges aren’t technical at all. They’re human.
This team had invested in real security capabilities. They had strong security operations, mature network security, and policies and processes that were well thought out. They’d even staffed some roles that I’ve seen many organizations skip or consolidate. Overall, they didn’t have a “do more with less” attitude about their security program.
And yet, despite all of that, something kept them from functioning the way they wanted.
The Tools Weren’t the Problem — the Alignment Was
One of the biggest themes that emerged was misalignment between the organizational structure and the tooling. Though they had some tooling gaps (who doesn’t), they weren’t egregious. But the structure around those tools hadn’t evolved with them.
People weren’t always sure where their responsibilities ended and someone else’s began. Job descriptions didn’t match day-to-day behavior. Tasks floated across roles because ownership wasn’t clearly defined. None of it was malicious. No one was making power grabs or trying to dodge work. It was simply what happens when processes grow organically and pressure builds faster than structure.
It’s a pattern I’ve seen so many times that it almost feels universal.
Strong People Still Drift Out of Alignment
The misalignment genuinely surprised me because they had strong people in the right seats. These weren’t the wrong hires. These weren’t junior staff trying to swim in deep water. These were capable professionals doing their best within the boundaries they understood. And leadership — from the CISO down to each team — genuinely cared for their people and wanted them to learn and grow.
But even a strong team needs periodic recalibration. Alignment isn’t a one-time project — it’s something you maintain, like a car you rely on every day. Without that ongoing attention, even good teams drift.
What Others Can Learn From This
If there’s a lesson here for other organizations, it’s this:
1. Align the tooling to the org structure — not the other way around.
Start with responsibilities, ownership, and workflows. The tools should support the structure, not define it.
2. Don’t be afraid to say things need fixing.
Avoiding uncomfortable truths is how technical and organizational debt accumulate. Courage in these conversations pays off later.
3. Be ready for your assumptions to be challenged.
Everyone goes into a rationalization effort thinking they know where the problems are. The real issues are often hiding in plain sight.
A Final Thought
Security teams carry a lot. Pressure, complexity, unrealistic expectations — and a constant flow of new responsibilities. Misalignment doesn’t happen because people aren’t trying. It happens because they’re trying so hard that structure becomes secondary.
And that’s fixable.
With a little clarity, a little honesty, and a willingness to step back and reassess the “why” behind how the team works, organizations can move from struggling under the weight of their own systems to operating with purpose and confidence.
This work is hard. But the people doing it are capable. And with the right shifts, they can absolutely get where they want to go.
