McKinsey & Company, together with most leaders in Strategy Consulting, have involved themselves more and more in Cyber Security over the past few years – and their latest article “Repelling the cyberattackers” offers an excellent analysis and set of actions towards Digital Resilience. Congratulations to James Kaplan, Allen Weinberg and their teams
In fact, the article echoes many themes we have mentioned here repeatedly, in particular throughout our series “The CIO Guide to a successful Information Security Practice” (a summary of which was published here):
- Cyber Security is too often seen as a mere technical discipline, while in fact, it is a complex cross-silo activity that has to reach beyond IT into the Business and other corporate practices – such as HR, Legal and Procurement
- Cyber Security must be approached as a structured practice, not just a collection of IT projects – and sound Governance is paramount
- It is essential to think of Cyber Security from a business process perspective, supported by technology – and not the other way round. The business will always understand controls when spoken to in its own language
- In such context, reporting lines, organisational structures and the personal profile of the Cyber Security transformation agents (the CISO and their team is most large organisations) are key to success
The article rightly focuses on driving tangible action, instead of “highly abstract (and therefore largely meaningless)” risk discussions – which is a view we totally endorse.
It puts the road to Digital Resilience into some historical perspective, which was one of our criticisms of the 2014 report “Cyber Security in a Hyper connected World” – published ahead of the World Economic Forum meeting in Davos last year. But it must be acknowledged that the journey to Digital Resilience will be specific to each large organisation, and that most are still at fairly low levels of Cyber Security maturity.
In spite of decades of spending in the IT and Information Security space, many large organisations are still struggling with “pre-2007” problems (in reference to Exhibit 1 from the McKinsey article), where Cyber Security is seen as a necessary evil imposed by regulations – at odds with functionality and preventing innovation and agility, instead of a necessary barrier to protect the business from real and active threats.
On their road to Digital Resilience, organisations have to accept first that Controls are essential, but getting to that realisation after 10 to 15 years of complacency, neglect or short-termist “tick-in-the-box” practices will not be simple. And only by identifying and removing the roadblocks that have prevented progress in the past, will they establish a genuine and lasting transformation dynamic.
In our opinion, this is a problem deeply rooted in governance, organisational and cultural matters that requires a fundamental rethinking and rewiring of Information Security practices.
This must come from the top and in that context, Board involvement and “senior cross-functional oversight” is essential – as the article rightly states – to avoid a “mere patchwork of compromises”. The Board must be prepared (and able) to look at the problem over the long-term and stick to it.
Of course, real change in that space will require a long-term transformative vision (supported and funded by the Board), articulated into a strategic Security Roadmap and a sound Security Governance model – reaching across all corporate silos and geographies.
But fundamental to success will be the personal gravitas, political acumen and management skills of the key transformation agent (the CISO in most large organisations). The CISO should have the seniority and experience required, and remain in charge over the necessary period to oversee real change – meaning they may have to consider their tenure over a 5 to 7 year horizon in many cases.
In such sensitive area, changing approach every 2 to 3 years, every time a new CISO comes in or every time something happens at Board level, is simply a recipe for failure. And when coupled with an excessive technical focus and short-termist compliance obsession, this could be the main reason why so many large organisations still show such low levels of Cyber Security maturity today.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.