The cyber security transformative urgency in many firms forces to look beyond traditional technology profiles
Cyber security has risen to prominence on the agenda of many business leaders.
Large firms have been struggling with it for decades in spite of significant investments in that space, but for many across the boardroom, the realisation has taken place over the past few years that cyber-attacks were simply a matter of “when” not “if.
In many organizations and industries where cyber security maturity has been low for decades, large scale transformative initiatives are shaping up, but in the current context of the global enterprise, with supply chains disrupted by the post-pandemic chaos, climate change and geopolitical imbalances, leading those initiatives and successfully delivering them requires a certain type of profile, which may be far from the profile of your traditional CISO.
First of all, we have reached a point in terms of urgency and complexity where successful cyber security leaders have to be trusted business insiders.
That goes way beyond the usual cliches by which the CISO “has to talk to the business in their own language” in order to paint security to them as an “enabler”. Those ships sailed long ago. Cyber security is now an imperative in the face of global and virulent threats that can simply take your business down. Period.
Business leaders want to be given assurances by somebody they can trust, that their activities are adequately protected in terms of prevention, detection, reaction and recovery. So cyber security leaders cannot be technology outsiders anymore; they have to be – and be seen as – experienced and trusted business leaders; it means understanding the day-to-day of the business, its real dynamics and challenges, and where the real pain points are for other business leaders.
That’s the basis of a common understanding on which trust will be built, and that trust platform is the only platform on which successful cyber security leaders can build the long-term foundations of any transformative efforts.
Second, cyber security leaders have to be good listeners.
That’s the other key ingredient they will need to drive a successful and lasting transformation.
Going back to the most basics of leadership, you are a leader when people follow you, and most people will follow you if there is something in it for them: Listening to the expectation of all stakeholders around cyber security, taking into account their constraints and their own priorities, and embedding those into the transformation roadmap is the best recipe to build endorsement and acceptance around cyber security transformative objectives.
Such acceptance, coupled with – and maybe born out of – the trust of business leaders, will form the bedrock on which the execution of the cyber security transformative roadmap can succeed.
But one final ingredient is also required: Time
Cyber security leaders have to be mid to long-term players and visionaries.
We see too many CISOs changing jobs after 2 to 3 years out of frustration, having achieved very little apart from kick-starting a number of technical pet projects. This is not transformative in essence and has contributed to the long-term stagnation of many organizations around cyber security matters.
Even on the bedrock of trust from business leaders and their acceptance of long-term objectives, real and lasting transformation across a field as complex and transversal as cyber security can only take time, in particular where initial maturity levels are low.
In large organizations, this could mean navigating across multiple business cycles while keeping priorities set on the same long term transformative goals.
Those are capabilities which come with experience and require significant political acumen, as well as the personal commitment and willingness of the cyber security leaders to stay the course (and the commitment from senior executives that they will be incentivised to do so).
Readers may notice that I have hardly mentioned technology or technical attributes so far.
Of course, cyber security has a technical dimension, but it is a common mistake to reduce it to a pure technical discipline, while the key challenges large organizations have been struggling with over the years are at its interface with business and support functions, in terms of cultural acceptance or priority setting.
In my opinion, we have come to the point in terms of transformative urgency in many firms where cyber security leaders have to rise above the traditional technical content of their role.
They have to be just that: Leaders, active, credible and audible across all corporate silos; not just technology experts.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.
