For over two decades, organizations have invested heavily in cybersecurity—billions upon billions globally—yet the same structural weaknesses persist and breaches keep happening. This raises a fundamental question: What if cybersecurity was never primarily a technology problem to begin with?
My own realization came early. When I took on the Chief Security Officer role at Rabobank’s International Division in the early 2000s, I assumed, like many at the time, that the challenge would be defining and implementing the right technical controls. But it quickly became clear that the real difficulty was not what needed to be done. Even then, good practices were emerging, and foundational standards were already taking shape. Knowing what to do was, in many respects, the easy part.
The real challenge was—and still is—how to get things done, and by whom.
That distinction is critical. Cybersecurity operates across those three dimensions.
The industry has spent decades refining the what. Frameworks, standards, and best practices have matured significantly. But organizations continue to struggle with the how and the who—and those are not technical questions. They are leadership and governance challenges.
The Illusion of Strategy
Many organizations proudly present comprehensive strategy documents outlining their approach to cybersecurity. These strategies are often well-written, aligned with industry frameworks, and technically sound. Yet, in practice, they fail to deliver meaningful change.
Why? Because they focus almost exclusively on the what.
The how is typically reduced to a question of budget and resources. The who, meanwhile, is often left ambiguous or fragmented across multiple functions. Governance is treated as an afterthought.
But cybersecurity transformation cannot be achieved by simply throwing more money at the problems. If it were, those would have been solved long ago. Large organizations are complex organisms. They are political, territorial, and often driven by competing priorities and personalities. Ignoring these realities is not strategy—it is just wishful thinking.
A genuine cybersecurity strategy must confront these dynamics head-on. It must cut across silos, address organizational friction, and acknowledge past failures. It must define not just what needs to be done, but how change will be driven and who is accountable for delivering it.
Moving Beyond Risk
For years, cybersecurity has been framed as a risk management issue. Boards have been encouraged to define their “risk appetite” and align security investments accordingly. While this approach had its merits, it is increasingly disconnected from reality.
Today, cyberattacks are not hypothetical. They are inevitable.
The “when, not if” paradigm is now widely understood at executive level. Leaders read the news, observe competitors across their industry, and recognize that incidents occur with alarming regularity. In this context, cybersecurity is no longer about managing uncertainty—it is about preparing for certainty.
This shift has profound implications. It moves the conversation away from risk appetite and toward resilience and business protection. It is no longer sufficient to ask, “How much risk are we willing to accept?” The more relevant question becomes, “How do we ensure the business continues to operate when disruption occurs?”
The Importance of Ownership
If there is one indicator of whether a cybersecurity strategy will succeed, it is ownership.
For too long, organizations have attempted to drive cybersecurity from the bottom up. CISOs and security teams have been tasked with influencing senior leadership, often without the necessary authority or context. This approach has consistently fallen short.
Alignment with business strategy cannot be achieved from the periphery. It must originate at the top of the firm.
When cybersecurity is owned at executive or board level—clearly, visibly, and credibly—it becomes inherently aligned with corporate priorities because it is simply part of them. Without that ownership, misalignment is almost inevitable.
This is not a criticism of CISOs. On the contrary, it reflects the structural limitations of the role as it is often defined today. Many CISOs are expected to operate across technical, regulatory, and strategic domains simultaneously, while lacking full visibility into executive decision-making. Over the past decade, it has simply become an impossible balancing act.
Rethinking Governance
If cybersecurity is fundamentally a governance challenge, then governance structures must evolve accordingly.
At present, accountability is often diffuse. Boards provide oversight, executive teams manage operations, and security functions attempt to bridge the gap. This fragmentation creates ambiguity and weakens effectiveness.
Clear accountability must sit with the executive team. The board’s role is to supervise and hold executives accountable, not to manage cybersecurity directly. Within the executive layer, responsibilities must be explicit, measurable, and—where appropriate—linked to performance and remuneration.
Looking ahead, I believe we will see the emergence of new leadership roles that reflect the changing nature of cybersecurity.
The traditional CISO model is under strain. The expectations placed on the role are too broad, spanning technical expertise, regulatory compliance, strategic alignment, and board engagement. Few individuals can excel across all these dimensions.
A more sustainable approach is to elevate cybersecurity into a broader business protection function. Titles may vary—Chief Resilience Officer, Chief Trust Officer, or similar—but the principle is the same: A senior executive responsible for aggregating all aspects of organizational protection.
Crucially, this role must be filled by a business leader, not solely a technologist. It should be positioned as a meaningful career step, with clear pathways for development and progression.
The Road Ahead
Cybersecurity is at an inflection point. For decades, the industry has focused on defining what needs to be done in the face of evolving threats. The next phase requires a shift toward execution and accountability (the “how” and the “who” of change).
This is not a marginal adjustment—it is a fundamental transformation.
Organizations that embrace this shift will move beyond reactive, siloed approaches and build integrated, resilient systems capable of withstanding disruption. Those that do not will continue to invest heavily without achieving meaningful outcomes.
The choice is clear. Cybersecurity must be recognized for what it truly is: Not a technical challenge, but a leadership and governance imperative.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was published on Forbes on 19th May 2026 and can be found here.
