ezRACI logo

Lesson 10: The IT-Security Tug-of-War – Balancing Agility and Compliance

Welcome back to my 21-part series on lessons learned throughout my IT project management career. Today’s topic is one that every IT project manager has wrestled with at some point: the constant battle between business agility and security compliance.

BlogIT Project Manager War StoriesLesson 10: The IT-Security Tug-of-War – Balancing Agility and Compliance

By Tom Jones, IT Project Manager

Welcome back to my 21-part series on lessons learned throughout my IT project management career. Today’s topic is one that every IT project manager has wrestled with at some point: the constant battle between business agility and security compliance.

On one side, you have the business teams who want to move fast, innovate, and launch new features yesterday.

On the other side, you have the security and compliance teams who want to lock everything down, run exhaustive risk assessments, and add six layers of approvals before anything goes live.

Sound familiar?

In today’s lesson, I’ll cover: ✅ Why IT and security teams always seem to be at odds. ✅ How to strike a balance between agility and risk management. ✅ The biggest mistakes companies make when handling security. ✅ How ezRACI helps ensure compliance without stalling progress.


The Security Showdown That Almost Killed a Product Launch

In 2013, I was leading a customer portal upgrade for a major financial services company. The business team wanted a seamless digital experience that let customers access real-time data, submit requests, and make account changes online.

The security team? They saw this as a potential data breach waiting to happen.

  • They wanted multi-factor authentication, role-based access, and encrypted session management.

  • The business team complained that the extra security steps would frustrate customers and hurt engagement.

  • The legal team was caught in the middle, unsure which side to take.

After weeks of deadlock, the project stalled—until we found a compromise.

By involving security early and building a risk-based approach to feature rollouts, we managed to:

  • Implement security controls in phases instead of all at once.

  • Allow low-risk features to launch sooner, while high-risk ones went through deeper security reviews.

  • Use ezRACI to define clear roles so security approvals didn’t become a bottleneck.

This taught me an important lesson: Security and agility aren’t enemies—they just need to be balanced properly.


The 5 Biggest Security vs. Agility Mistakes (And How to Avoid Them)

🚨 1. Security is Brought in Too Late

❌ What happens: The business builds a system, then security steps in at the last minute and blocks deployment.

✅ Fix it:

  • Involve security at the start of the project, not right before go-live.

  • Hold joint planning meetings between IT, security, and business stakeholders.

  • Use ezRACI to assign security responsibilities from day one.

🚨 2. Security Policies Are Too Rigid

❌ What happens: Security teams enforce one-size-fits-all policies that slow down innovation.

✅ Fix it:

  • Use risk-based security models—not every system needs the same level of controls.

  • Define acceptable risk thresholds instead of just saying “no.”

  • Work with business teams to implement security in phases.

🚨 3. Business Teams Ignore Security Best Practices

❌ What happens: The business bypasses security to move faster, leading to shadow IT and compliance risks.

✅ Fix it:

  • Educate business teams on why security matters—make them part of the process.

  • Create a fast-track approval process for low-risk changes.

  • Establish a RACI matrix to clarify who is responsible for security decisions.

🚨 4. Security Reviews Lack Transparency

❌ What happens: Business teams don’t understand why security is rejecting requests, leading to frustration.

✅ Fix it:

  • Require security teams to provide clear explanations when denying a request.

  • Create a decision log to document security approvals and rejections.

  • Track all security-related issues in ezRACI to ensure transparency.

🚨 5. Compliance is Treated as a ‘Check-the-Box’ Exercise

❌ What happens: Companies only worry about security when an audit is coming up.

✅ Fix it:

  • Make security a continuous process, not a one-time task.

  • Automate compliance tracking with tools like ezRACI.

  • Establish monthly security check-ins to review risks proactively.


How ezRACI Helps Bridge the Gap Between Security and Agility

Security conflicts arise when roles and responsibilities aren’t clear. That’s why I use ezRACI to:

Define who owns security approvals for each project phase. ✅ Create transparency between IT, security, and business teams. ✅ Track compliance and risk assessments without slowing down development.

If your organization struggles with balancing security and agility, ezRACI can help you find the middle ground.


Final Thoughts: Security and Agility Can Coexist

The biggest lesson I’ve learned? Security isn’t about saying ‘no’—it’s about managing risk in a way that allows the business to keep moving forward.

✔️ Engage security early to avoid last-minute roadblocks. ✔️ Use risk-based security policies instead of rigid rules. ✔️ Make compliance a continuous process, not an afterthought.

Next time, in Lesson 11: The Art of the Executive Status Report, I’ll share how to deliver project updates that keep leadership engaged—without overwhelming them with unnecessary details.


Disclaimer: This blog is written from the perspective of Tom Jones, a fictional IT Project Manager, and is intended for informational and educational purposes. While based on real-world project management principles, all anecdotes and characters in these posts are entirely fictitious. Any resemblance to actual persons or events is purely coincidental. The blog also references ezRACI, a project management tool designed to help teams succeed in project execution. However, these opinions are solely those of the fictional character and do not constitute an official endorsement.

About Tom Jones

Tom Jones: A Veteran IT Project Manager Navigating the Complexities of Enterprise Technology

Tom Jones is a seasoned IT Project Manager with over two decades of experience leading complex enterprise technology initiatives. Based in South Florida, Tom has built a reputation as a pragmatic, results-driven leader who thrives on solving intricate business and IT challenges. His expertise spans project management, IT security, large-scale system migrations, and process optimization, making him a trusted figure in the industry.

Early Life and Education

Tom was born and raised in Pennsylvania, eventually attending Penn State University, where he earned a Bachelor of Science in Management Information Systems (MIS) in 2003. His passion for technology and business integration was evident early on, as he quickly grasped the nuances of systems architecture and project execution. His ability to bridge the gap between technical teams and business stakeholders became a defining characteristic of his career.

Professional Journey

Tom's career began at Unilever HPC as a Systems Analyst, where he got his first taste of large-scale enterprise operations. However, he quickly sought new challenges and moved to Washington, D.C., to work as a Consultant for the Department of Defense. This experience exposed him to high-stakes, mission-critical projects where precision and security were paramount.

Over the years, Tom took on increasingly demanding roles, managing SAP migrations, IT security projects, and various large-scale initiatives across industries. His ability to navigate high-pressure environments and deliver results led him to leadership roles in project management, where he excelled in driving teams toward successful project completion.

Leadership Philosophy

Tom's leadership style is rooted in accountability, transparency, and strategic execution. He believes that successful project management isn't just about timelines and budgets—it’s about aligning business objectives with technology solutions while fostering a culture of collaboration and continuous improvement. His direct, no-nonsense approach has earned him the respect of peers, executives, and technical teams alike.

Entrepreneurial Ventures and ezRACI

In recent years, Tom has expanded his expertise into entrepreneurship, co-founding ezRACI, a SaaS platform designed to streamline compliance, audit trails, and project management workflows. Recognizing the inefficiencies in traditional project management tools, he sought to develop a solution that integrates collaboration features like Slack and MS Teams, industry-specific templates, and intuitive dashboards for workload optimization. His goal with ezRACI is to help teams achieve clarity, accountability, and efficiency in their IT projects.

Personal Life

Beyond his professional accomplishments, Tom is a devoted husband and father of two elementary school-aged children. He enjoys spending time with his family, coaching his kids' sports teams, and keeping up with the latest industry trends. His wife, who works at the local library, shares his appreciation for continuous learning and knowledge-sharing. Together, they have built a life centered around personal growth, resilience, and community.

Legacy and Vision

With over 21 years in the industry, Tom Jones remains a passionate advocate for effective project management and IT governance. Through his blog, he shares lessons learned, war stories from past projects, and insights on optimizing workflows in modern enterprises. Whether leading large IT transformations or mentoring the next generation of project managers, Tom's mission remains the same: to drive efficiency, innovation, and lasting impact in the world of enterprise technology.

As he continues to build ezRACI into a premier project management tool, Tom is committed to reshaping how teams collaborate, execute projects, and maintain compliance in an ever-evolving digital landscape.

Connect with Tom Jones