Time to Deal with Cyber Security Strategically, and from the Top Down By Jean-Christophe Gailard

This is no longer just about tech — if it ever was

Surveys focused on the concerns and priorities of the CISO community have been quite consistent over the last few years, and collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom-up, disconnected from the dynamics of the business and the broader culture of their organisation.

In spite of the non-stop avalanche of cyber-attacks we have seen over the past decade, many CISOs still complain about a lack of board-level engagement and difficulties in getting sufficient budgets.

The overall sentiment is one of frustration, leading to (well-documented) shorter tenures and burnout problems.

But another aspect which is often overlooked in the background is the lack of operating structure many cyber security practices seem to have.

Instead of being built around some form of operating model that would detail processes, tasks, roles and responsibilities for all stakeholders, they seem to be driven by projects (in proactive or reactive mode) and operational tasks aggregated over time (exception management for some, privileged access management for others etc…)

In fact, in absence of a structured framework to work against, this is often the only way those cyber security practices can operate, evolving “as they go along”, in project mode or in firefighting mode.

Security awareness ends up being a perennial low-hanging fruit and an easy sell for CISOs, when they cannot find other levers, but the emphasis on developing a stronger security culture cannot be the only axis of action for the CISO.

But how can you justify budgets, attract or retain talent without a structured referential to work against, and in absence of a clear governance model, roles, responsibilities and — to a degree with regards to staff retention — clear career paths?

And again, how can you claim you do not have enough staff in absence of a target operating model, detailing tasks and the resources required to deliver those tasks? It can only be a finger-in-the-air exercise; the very kind any half-decent CFO would smell miles away.

This kind of empirical, bottom-up and organically developed cybersecurity function does not work. It has failed to protect large organisations over the past two decades and needs to evolve.

What is required is structure, business acumen and top-down engagement.

The culture of frustration many CISOs have developed is probably comfortable for some; there is always someone to blame (“the business”) and another juicy job to move into afterwards.

But it does not help organisations and society at large.

To break this spiral of failure, the profile of the CISO needs to evolve and the board needs to take ownership.

This is no longer just about tech — if it ever was. This is about protecting the business against cyber-attacks which have now become a matter of “when not if”. This is no longer something you can push down in the organisation.

If the board does not see the need — or does not feel qualified — to step in, nothing will never change for good around cyber security because it has simply become too complex and too transversal in large organisations. Bottom-up approaches will continue to pour cash down the drain and CISOs will continue to leave every other year out of frustration. And breaches will continue to happen.

If the board wants to set directions, they should drive: Appoint someone they trust and can talk to (it does not have to be a technologist) and empower that person to build or rebuild cyber security practices across the firm, in the light of what the board wants and expects.

The COVID crisis has presented most organisations with unprecedented situations, but it has not made cyber security less of a priority. On the contrary, cyber security — whether it is in support of remote working, e-commerce or digitalised supply chains — has become a pillar of the “new normal”.

Now is the time to deal with it strategically, and from the top down.

 

 

 

Jean-Christophe Gaillard is the Founder and Managing Director of Corix Partners

He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.

He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine,  Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.