Failure mode one. The wrong programme sponsor.
The single biggest predictor of cyber transformation success is the seniority and authority of the executive sponsor. Not the CISO. The sponsor.
If the sponsor is the CIO, the programme will be measured by infrastructure outcomes and will quietly slide into a platform refresh. If the sponsor is the CFO, the programme will be measured by cost and will optimise for the audit, not for risk reduction. If the sponsor is the COO, the programme will be measured by operational continuity, which is closer to right but still partial.
The transformation programmes that ship have a sponsor with three properties. They sit on the executive committee. They have a balance-sheet view of the firm. And they have a personal exposure to the outcome, whether through accountability for regulatory breach, board reporting, or named responsibility for customer obligations. In UK firms, the COO and the General Counsel are the two roles that most often combine all three.
Failure mode two. The control library nobody reads.
The second failure mode is the most common, and it presents as success. The programme produces a control library. The library has hundreds of entries. The library is presented to the steering committee. The library is approved. The library is filed.
The library was not the deliverable. The library is a tool. The deliverable is operating controls with evidence. The programme that mistakes the library for the deliverable will spend its second year reconciling the library with what is actually happening, and will deliver neither.
The corrective move is to publish the library with named operating owners in the first quarter, then never publish it again. Subsequent reports show operating evidence, by control, by owner. The library becomes a backstop reference, not a deliverable.
Failure mode three. The vendor that became the plan.
A new tool is bought. The transformation plan begins to organise itself around the tool. The plan becomes the rollout. The rollout becomes the milestone set. The milestone set becomes the success criteria.
By month nine, the programme is on track to deliver the tool, and nothing else. The tool will solve part of one control area. The other twenty-nine domains have made no progress. The board has approved spend on the tool and is told the programme is green.
The fix is straightforward and unpopular. The tool implementation is broken out as a separate workstream with its own sponsor, its own reporting line, and its own success criteria. The transformation programme reports on outcomes by control domain, not by tool deployment status.
Failure mode four. The auditor that arrived too late.
Most certification-targeted programmes engage the certification body in the final quarter, two months before stage one. The audit then surfaces structural issues that should have been resolved in months four to six. The programme either delays certification by six months, or accepts findings and tries to close them in surveillance audits.
The correct move is to engage the certification body in month three. Not for a pre-assessment. For a scoping conversation that anchors the boundary of the ISMS, the in-scope locations, the in-scope information systems, and the in-scope third parties. That conversation, recorded, prevents the entire class of stage-one findings that derail programmes.
The same principle applies to SOC 2. Engage the CPA firm before the system description is written, not after.
Failure mode five. The CISO who stopped reporting.
Senior CISOs running large programmes have a known failure pattern. By month twelve, they are deep in delivery, surfacing problems daily, and the rhythm of executive reporting falls away. The monthly steering pack becomes quarterly. The quarterly board pack becomes annual. The narrative drifts from we are managing the work to we are doing the work, and the board loses its sense of confidence.
When confidence is lost, the next budget conversation gets contested. When the budget gets contested, the programme loses pace. The cycle is hard to reverse.
The fix is procedural. The programme reporting cadence is published in the first quarter and held through delivery, regardless of how busy the CISO is. The monthly pack runs to four pages, in the same format every month. The board pack runs to eight pages, in the same format every quarter. The format never changes, even when the content is uncomfortable.
Five governance moves that ship.
Programmes that ship have five governance moves in common. They are visible early. They survive a change of CISO. And they are non-negotiable.
- A named executive sponsor with board reporting line, balance-sheet authority, and personal exposure.
- Operating-evidence reporting from week one, not control-library reporting.
- Workstream separation between tool deployments and control-domain progress.
- Early engagement with the certification body or the CPA firm before scope is locked.
- A fixed reporting cadence and format that does not bend to delivery pressure.
None of these are clever. None of them are new. All of them are dropped, regularly, by programmes that go on to stall. The job of the senior practitioner is to hold them in place.
