Balancing Agility, Operational Business Requirements and Cybersecurity in a Large Public Organization

Abstract: Enterprise cybersecurity is undergoing significant transformation due to the widespread adoption of agile development and self-steering teams, particularly in large organizations. Traditionally, cybersecurity governance has been centralized, relying on structured coordination across people, processes, technologies, and compliance mechanisms. However, agile methodologies—marked by decentralized, autonomous teams—have shifted organizational dynamics from hierarchical to distributed models. While this enhances responsiveness and innovation, it also introduces fragmentation in cybersecurity responsibilities, complicating unified decision-making and the enforcement of security controls.This study explores how large agile enterprises can effectively manage cybersecurity, with a specific focus on ransomware threats. Through qualitative interviews with nine cybersecurity professionals from a highly digitalized public organization in the Netherlands, the research identifies two core organizational tensions: (1) balancing agility and cyber security in decision making about security controls and risk management, and (2) balancing operational business requirements with cybersecurity improvement.The first tension stems from the fragmentation of cybersecurity responsibilities across agile teams. Respondents reported weakened accountability, inconsistent policy enforcement, and an over-reliance on tools to bridge communication gaps. These challenges are linked to mechanistic thinking—an outdated organizational mindset that views departments as isolated units. This leads to siloed operations and a narrow focus on technical solutions. To address this, the study advocates for a systems thinking approach, which views organizations as dynamic networks of interdependent elements. Systems thinking emphasizes holistic understanding, collaboration, and feedback loops.A key recommendation is the introduction of boundary spanners—individuals who bridge communication gaps between teams and align local actions with enterprise cybersecurity goals. These roles facilitate cross-team coordination, support unified decision-making, and help integrate cybersecurity efforts across the organization.The second tension involves the misalignment between the steady rhythm of operational teams and the dynamic pace of cybersecurity innovation. Operational teams prioritize stability, while innovation efforts require flexibility and rapid iteration. This mismatch is exacerbated by Out-Group Bias, where teams resist adopting solutions developed externally, leading to inconsistent security practices and delayed implementation of improvements.To overcome these challenges, the study proposes a programmatic approach to cybersecurity improvement. A program, defined as a coordinated set of related projects, ensures strategic alignment, resource allocation, and effective decision-making. The approach incorporates short-cycled project phases—explore, experiment, pilot, and scale—each with clear objectives and standardized methods. This structure accommodates operational constraints while ensuring timely progress and shared ownership.A successful example of this method is found in the Dutch financial sector, where the Partnership for Cyber Security Innovation (PCSI) implemented a four-month cycle with joint steering committees. This setup promoted inclusivity, countered Out-Group Bias, and enhanced cross-organizational cybersecurity awareness.In conclusion, the study underscores the need for systemic thinking and structured program management to align agile practices with robust cybersecurity strategies. By addressing internal tensions and fostering collaboration across teams, organizations can enhance their resilience against complex cyber threats while maintaining the benefits of agility. Future work will involve field-testing these models, including training boundary spanners and implementing short-cycled programs, with a one-year implementation horizon recommended for optimal impact.

Keywords: Enterprise Cybersecurity, Large-scale Agile, Ransomware, Boundary Spanning, Short Cycled Innovation Programs, Cyber Resilience

DOI: 10.54941/ahfe1007040

Cite this paper:

​