We conducted a Q&A interview with Jean-Christophe Gaillard, Leading Security influencer and Managing Director at Corix Partners, regarding the role of the CISO and how it sits within organisations today.
Could you introduce yourself and what you do?
I am the Founder and Managing Director of Corix Partners.
I have been living and working permanently in the UK since 1993, and I have been involved with cybersecurity since the late 90s. I became the Chief Security Officer at Rabobank International in 2000 and built that practice from the ground up across a decade, eventually setting up Corix Partners in its current form in 2011.
At Corix Partners, we have been working mostly with large organisations, helping them build or rebuild security organisations and operating models that create real and lasting value to their business.
The role of Chief Information Security Officer (CISO) has become a lot more popular in recent history, what does the role of a modern-day CISO entail?
You’re right; the role of the CISO and its evolution has been a big topic of discussion for a few years now across security communities.
In fact, the role has been evolving organically for over 20 years, but in many respects, it is still in formation.
And let me say as well that it is often overly simplistic to talk about “the CISO” as roles can vary greatly depending on industry sectors and the security maturity levels of each organisation.
The role and its evolution is something I have been exploring since 2015 on the Corix Partners blog, via its sister think-tank the Security Transformation Research Foundation, and since last year also with techUK; we released the first with techUK in December which covers a lot of what we are going to talk about in this podcast, and there is more to come throughout 2021.
Do you think that the increasing number of CISO’s in business is a result of better understanding of our situation and how much information we are sharing (both as people and businesses)?
Yes I think you’re right; when I started attending security conferences over 20 years ago, most of my peers were if Finance, big Pharma, Oil & Gas; regulated industries and industries where security works hand in hand with safety, and where safety is a pillar of the culture of the sector; today, most industry sectors have some form of security practice.
I think it is a direct consequence of the “when-not-if” paradigm around cyber attacks and the fact that cyber threats have targeted all industry sectors and all enterprises irrespective of size. Many organisations which would not have had a CISO 10 years ago now have one as the result.
How much has that changed from what it looked like previously?
At Corix Partners, we ran a piece of quantitative research with our sister think-tank The Security Transformation Research Foundation in 2019, by which we analysed the semantics content of the last 17 annual Global Information Security Surveys from EY, looking to see how the language we use to talk about cybersecurity has changed over the last 2 decades.
We can see clearly 2 decades emerging: During the first decade of the century up to 2010, the language used is dominated by considerations of risk and compliance; the CISO is effectively a risk manager, and information security, a sort of insurance policy against regulatory troubles; that matches well with my own experience; I was Chief Security Officer for Rabobank International at the time, and I left that job in 2009; all that was very much part of my day-to-day.
But from 2010 we see the language shifting: The word “threat” becomes more prominent than the word “risk” and incident-related language becomes more prominent than compliance-related language; it is the decade during which many organisations start to realise that security cannot be seen anymore JUST as a balancing act between compliance requirements, risk appetite and costs; that threats are real and security has to become a necessary barrier against real threats which can dramatically impact your business, all that in a context of massive technological change (and the aftermath of a historic financial crisis).
The drivers behind that realisation are rooted in the non-stop avalanche of cyber attacks we have seen throughout the decade across all industry sectors, which have also kept many CISOs in a constant firefighting mode.
This is a problem, because many CISOs have been stuck in overly technical roles, in which they have not been able to develop the management and leadership skills that are now required to drive truly transformative initiatives around cybersecurity.
Because, and that’s the other thing which has happened towards the end of the last decade, the penny has started to drop in many boardrooms around what I have been calling the “when-not-if” paradigm; this is not just about risk appetite anymore and the board would often consent to large investments in that space but in return demands execution and protection around cybersecurity; all that puts CISOs and CIOs under considerable pressure.
But getting things done on such a transversal topic – in particular in large organisations – requires more than just technical skills; it requires political awareness, personal gravitas and a knowledge of the business you are unlikely to have picked up if you have been firefighting technical problems for years like many CISOs.
CISOs often end-up in impossible positions, where they are being asked to be credible one day in front of the board and the next in front of pen testers or app developers, all the way across the firm and all the way across its technical stack; and now even across its supply chain…
Let’s be clear: Those profiles don’t exist; all this simply breeds frustration, alienation and burnout; so things will need to evolve around the role sooner than later.
There is a growing interdependence between physical and cybersecurity, does this mean that organisations should be introducing (or developing) both the role of CISO and CSO?
It is not just physical and cyber which are coming together, but they also overlap more and more with continuity and resilience, and with the pressing need to ensure data privacy compliance in the face of mounting regulation worldwide.
All those aspects have one thing in common: It’s their transversal nature; the fact that to make things happen and move the needle on those matters you have to be able to reach and to influence across corporate silos: IT, HR, Legal, Business Units, Geographies etc…
Many CISOs are not capable of leading in that way, because most are technologists by background and by inclination, and the leadership skills required are not skills you develop by firefighting technical problems day-in-day-out.
So positioning an elevated CSO type-of-role indeed makes more and more sense in many organisations, but it needs to be framed appropriately.
It seems that CISO’s are only just being introduced into organisations and the C-suite team, which almost feels too little too late considering how far we are down this path (both as people and businesses). What are the other obstacles that CISO’s face?
As we said before, the CISO role has been around in one shape or another for the best part of the last 2 decades in some industries, and it has gradually permeated the whole of the economic fabric, but let’s face it: Currently, irrespective of the title used, many CISO roles are not true C-Level roles; at best, the role reports to a C-Level exec; but it is not rare to find situations where it is still buried in the organisation.
You cannot drive fundamental transformation bottom-up around a subject so complex and transversal as cybersecurity; so businesses that have that objective must elevate the role of their security leader.
That’s generally when the CSO profile we were talking about earlier star.
What do you think will be the changes or evolution for the role of CISO in the future?
I think the role is at a crossroad.
Frankly, bottom-up, tech-centric, tech-heavy approaches to dealing with cybersecurity problems have failed in my view – in particular in many large organisations; many are nowhere near the maturity level they should have reached in relation to the amounts spent over the years.
It’s not just that the threats evolve too quickly; good practices such as patch deployment and identity management are as old as good practice itself in that space; and they still protect to some extent.
The main problem is that siloed mindsets and internal politics come in the way of execution in large firms; CISOs are trapped in tactical games, and short-termist priorities prevail; nothing gets done, beyond low hanging fruits; nothing ever gets finished; CISOs get frustrated with adverse prioritisation and leave after a few years having achieved little in real terms.
The COVID crisis has made most organisations heavily dependent on digital services, internally and externally; and cyber attacks have been relentless; all that has accentuated the short-termist tendencies which have kept the CISOs in firefighting mode for a decade.
For now, many CISOs are stars because they’re keeping the lights on.
But going forward, I think we are going to go back to the same old problem; you cannot transform cyber security practices and culture FOR GOOD across a large organisation simply through tech-driven bottom-up initiatives.
So if that’s your objective, you will have to elevate the role somehow to engineer the board-level dynamics which, in turn, will create the top-down push required to bring change; and you will have to find or attract the right people to do that; it may not be your current CISO; it may not be someone coming with a “CISO” tag from another organisation.
You may have to think outside the box, and to look towards business profiles; but to incentivize them into the job, you need to elevate its profile and weave it into a credible expression of business purpose; and give them the sense that this is a valuable and meaningful career step (upwards or sideways).
All these points again towards a CSO type-of-job developing, next to a CISO role – more important now then ever but being confined – or returned – to its technical dimension.
“Horses for Courses” you may say … but senior executives hiring in those positions must be acutely aware of what they are trying to achieve to avoid putting the wrong people in those roles; cybersecurity has become too critical…
So I’ve seen this around quite a bit as a concept and wanted to get your opinion on it. A vast number of organisations are using fear to sell physical and cybersecurity (for example saying x event wouldn’t have happened if their system was in place). Do you think this is problematic, shouldn’t it be about building relationships, not fear?
The marketing of cybersecurity vendors is something we could talk about for a long time; personally, I don’t think using FUD is a problem; it is as old as the industry itself; I think buyers can see through that from miles and are immune to it.
I think the problem with vendors marketing is elsewhere: Many of them have a good siloed product – say in the email protection space, or in the identity & access management space – but their marketing people try to dress it up as THE solution to all problems for the CISO or the enterprise; that leads to vast amounts of spin, and very often, disappointment in the end for both parties.
It also perpetuates the idea that cybersecurity challenges are purely technical in nature; they are not; they have a technical dimension of course but the key challenges for the CISOs are often in execution, in delivering results and in selling those internally; those are management challenges, not technical challenges.
Vendors don’t care enough about product under-utilization or under-deployment; once again, what’s difficult in large organizations, is execution; many projects never get finished, as we said before; some never take off properly; customer success should be a more prominent priority but too many vendors stop caring once the purchase order is in the bag and they have done their figures for the quarter.
So yes, you’re right; relationship building should be key, and developing a real sense of customer service to help clients execute and deliver.
If people only take one piece of information away, what should it be?
I would urge people – and hiring managers in particular – to look beyond the obvious when it comes to the role and profile of the CISO to avoid replicating the problems of the past, to go back to what they are trying to achieve around cybersecurity and to think in business terms, not just in technical terms.
This Q&A interview is exclusive to The Business Transformation Network.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.