But are the CISOs ready for it?
A comment left on one of my articles made me think: How can cyber security leaders drive a long-term transformative agenda, with a business and a board that cannot see beyond the short-term?
I see several angles worth discussing around the way the question was put, which may help break some deadlocks.
Endemic short-termism is a management problem which has been plaguing large organisations for decades. There are industries where it makes sense because they are rooted in short-term cycles; there are industries where it doesn’t and simply reflects an obsessive focus on shareholders return.
Two trends are worth bearing in mind in the particular times we are going through:
First of all, the COVID crisis has obliterated – for now – any type of long-term perspective across many industries; you cannot blame your business for thinking short-term, where – frankly – there is no other option.
At the same time, many corporate post-pandemic agendas are driving a focus on purpose, ESG matters and a move towards stakeholder capitalism, away from shareholder capitalism; success on those fronts will require vision and long-term leadership: We will not “build back better” in that way overnight…
So, understanding why their business is focusing only on short-term matters, has to be a starting point for cyber security leaders looking to position longer-term objectives, as well as understanding where the business and the Board are around the post-COVID pivot, because that may drive a change in focus.
Ideally, you would use that pivot to embed cyber security and privacy as pillars in the firm’s post-pandemic objectives, but to achieve that, cyber security leaders need to have access to the board agenda and this is not something they can dictate; this is something you build up over time through management and political acumen, and also through the trust deposited in you, which would have come from your execution capabilities.
CISOs simply pushing bottom-up technical narratives and metrics towards the board often fail at building up that type of relationship. They downgrade their function and themselves by limiting its scope to a technical and operational dimension, and the board ends up seeing them as mere “firefighters”.
The COVID crisis would have accentuated that tendency in many organisations: CISOs who only bring short-term technical problems to the board, will only hear short-term answers in return, and over time, simply become incapable of breaking into a longer-term agenda, because they have not built up that credibility when they could have done.
Of course, there must be organisations where the board does not want to hear anything else around cyber security, because they feel this is simply an operational matter which lives a long way below them. For those, it is often enough to have the CISO wheeled-in once or twice a year, before swiftly moving on to more “important” matters. Unfortunately, cyber attacks have been relentless, their impact – financial and reputational – has sky-rocketed and that type of attitude is increasingly becoming more and more difficult to sustain.
Still, to break into the long-term agenda with the board, cyber security leaders need the right levers.
Since 2019, we have been advocating that anchoring cyber security and privacy as pillars of a firms’ ESG strategy could be a good start: There is no doubt that corporate post-pandemic agendas are likely to help with that in most organisations, but only for cyber security leaders who have managed to build the right channels to tap into it.
For the others, unfortunately, short-term firefighting, accentuated by the pandemic could become a trap difficult to escape.
