Many CISOs complain of communication problems with their business. They are not being listened to. They are not getting the budget they think they should get. They feel their business prioritises against security too often.
It has been a recurring theme amongst information security professionals for the best part of the last 15 years, and it is rooted in a wide range of factors, amongst which the profile of the CISO is often a dominant limitation.
People simply trust other people
This excellent November piece from McKinsey on cyber security deserves a comment (“A Framework for Improving Cybersecurity discussions within Organizations” – Jason Choi / Harrison Lung / James Kaplan).
Security is not about “enabling” the business but “protecting” it
At the end of a keynote speech I gave at the excellent CIOWaterCooler LIVE! Event in London on 28th September 2017 on security organisation, governance and creating the dynamics for change around cyber security, I was asked a challenging question on which I would like to elaborate: