I have been involved with information security matters for almost 20 years and started writing regularly on the topic in 2015.
Talking to CISOs, CIOs and their teams as part of my day-to-day field work as consultant, I was horrified by what I was seeing in large corporates in terms of security maturity levels and the actual problems some were still struggling with – something that goes way beyond anecdotal evidence and is at the heart of survey after survey every year.
After all, information security good practices have been well established for over 20 years and many industry bodies have been promoting them and evolving them throughout that period.
Why is it that large firms which have had fully functioning information security teams in place all that time, and have spent – collectively – hundreds of millions on the topic, are still struggling today with issues – such as patch management – which should have been on their radar for over 10 years?
There is truly a cybersecurity lost decade for many between the CodeRed, Slammer and Blaster outbreaks of 2001-2003 and the 2017 Wannacry and Petya attacks – and maybe the more recent Equifax data breach.
By failing to get the basics right in terms of security during that time while continuing to engage in massive cloud-driven IT transformation programmes which have turned the enterprise into a truly borderless hybrid, many large firms have dramatically increased their level of exposure to cyber threats. And now the acceleration of the digital transformation through a variety of data-driven emerging technologies – from driverless vehicles to drones or chatbots – is about to make things even more complex.
To create different dynamics around cybersecurity and make true progress, large organisations must stop thinking of the topic in purely technological terms, look back and address urgently the underlying cultural and governance issues that have been the true roadblocks of that “lost decade”.
This is the theme I have been developing over the past 2 years through my contribution to the Corix Partners blog and we have now collated into a book (“Cyber Security: The Lost Decade”) a selection of 34 articles published between February 2015 and August 2017, in collaboration with Neil Cordell and Vincent Viers.
They frame our reflexion on those matters and offer – we think – elements of the solution to start changing the narrative around cybersecurity.
We hope readers will find it thought-provoking and that it will help some move forward.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.