Strategy and Governance /

Cyber Security Transformation is Rooted in Governance and Culture; not Technology

Information governance

Compliance and audit-oriented “tick-in-the-box” practices are still underpinning many InfoSec strategies. Huge sums of money are being spent on supposedly “one-size fits all” reactive solutions to one-off threats. However, such a firefighter mentality is at odds with the holistic, preventive protection that an efficient 21st century InfoSec strategy requires.

Cyber threats have become increasingly salient for most organisations, with potentially fatal consequences in terms of operations, finance and reputation. The board must realise the growing ubiquity of such threats—and the hard, cold fact that cyber-attacks are no longer a matter of “if” but a matter of “when”.

This is not just a technology problem

Your organisation forms the most efficient shield against potential threats, and as such a transition towards an effective InfoSec Governance is the only way ahead. A clear, simple and consistent security mindset must be embedded at every level of the organisation. For many large organisations, this is no longer a matter of awareness development, but a profound matter of cultural change.

Rome was not built in a day. Neither will a lasting InfoSec culture.

As with any organisational change, it will always be a medium to long term journey.

For most of the Roman Empire’s glory, the protection of the city of Rome was deemed a secondary issue which could be addressed on an ad-hoc basis with interventions by the Roman Army. It took the Romans more than 300 years, and the pressure of a growing crisis due to barbarian threats, to finally decide to build the Aurelian Walls as a consistent and lasting security strategy for their city. They took 4 years to build, but they protected the city for almost 2 centuries.

As Cyber security transformation experts, we feel a lesson can be drawn from history. Most organisations’ current approach to InfoSec is, in many regards, very similar to that of overconfident Roman emperors—short-term oriented, overly expensive, and inefficient in the face of growing threats. Good practices have existed for decades and will go a long way to protect against those threats, but they need to be in place.

In that respect, for many large organisations, driving cyber security change starts by looking back and removing the roadblocks that have prevented action in the past. All of those – under investment, adverse prioritisation, complacency – do challenge governance and cultural practices up to Board level. Addressing them is a complex management exercise, and definitely not an IT matter.


JC Gaillard

Managing Director

Corix Partners

Contact Corix Partners to find out more about developing a successful Information Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

This article was written in collaboration with Vincent Viers for LinkedIn Pulse and originally published on 23 February 2016.