A New Recipe for Cybersecurity
November 15, 2025 in Cyber Security by Michael Meis
At the 3 Tree World Technology Summit in Portland, Michael Meis, ACISO of the University of Kansas Health System, challenged the room to rethink how security actually works inside an organization. He argued that cybersecurity struggles not because teams lack funding or tools but because the structure puts too much weight on too few people. Attackers move fast and the traditional model cannot keep up.
The core issue
Most organizations treat security as something that happens after the fact. Developers push code. Infrastructure keeps systems running. Identity grants access. Each group introduces risk without owning it. Security teams then spend their time chasing problems created upstream.
This setup forces security into a constant reaction cycle. It also hides risk from the teams that build and maintain the systems.
Why the traditional model fails
A centralized security team cannot review every release or patch every system. It cannot validate every configuration or monitor every identity path. Even strong programs end up firefighting because the operating model places security outside the work.
When security sits apart from the team’s building and shipping technology, it slows delivery, disconnects responsibilities, and creates gaps that attackers exploit.
A more resilient approach
Meis outlined a model that works more like a well-run kitchen. Everyone follows the same safety expectations. No one relies on a single person to keep the environment safe. Applied to technology, this means:
Developers build secure code as part of their process. Infrastructure teams patch and harden their own systems. Identity teams monitor privilege and authentication risk. Security leaders set standards, guide teams, and focus on strategy rather than cleanup.
This approach tackles risk where it begins. It accelerates development and reduces repeat issues because ownership sits with the people closest to the work.
Why this shift matters
Security becomes effective when it lives inside the teams that create and maintain the technology. That requires clear expectations, updated job descriptions, and incentives that reward secure work. Once accountability aligns with daily responsibilities, security becomes part of the operating culture rather than a last-minute checkpoint.
Organizations that adopt this model gain speed, clarity, and resilience. Those that hold on to the old structure continue to add tools and headcount without solving the real problem
Michael Meis is a security leader with a passion for architecting security programs, leading people, and developing world-class security teams.
During his career, Michael partnered with the USDA CISO to develop one of the largest consolidations of security services in the federal government. Michael also led the H&R Block Information Security team through a transformation of their GRC operations to instill quantitative cyber risk management practices. Michael currently leads The University of Kansas Health System Cybersecurity team as they protect the critical systems, data, and people that provide lifesaving patient care.
