This proposal is a sequel to the InfoSec World 2023 "Lessons Learned from a Policy Stack Transformation" session. It focuses on unexpected insights gleaned from from tackling resource constraints and balancing security objectives with usability during Washington State policy transformation.

The session highlights three points essential to driving cultural change by engaging with stakeholders when designing a policy stack.

1) Organizational structure impacts security requirement implementation.

2) Data governance maturity impacts risk management requirements.

3) Equity and usability considerations impact data protection requirements.

Learning Objectives:

• Attendees will learn how to analyze organizational structure and security maturity level when selecting security requirements
• Attendees will understand the impact of data governance maturity on the selection of data security controls
• Attendees will understand how to reconcile equity and usability considerations with security objectives