Three More Cybersecurity Clichés That Need Challenging
In one of my last article, I challenged three deeply entrenched cybersecurity clichés that, in my opinion, make the industry narrative outdated, shallow and misleading for seasoned practitioners, as well as new entrants.
In this second part, I am going to continue with the exercise, in the light of my own field experience, and with the aim of adding more depth to the topics.
Of course, some subjects addressed below overlap with my previous piece, but it is key, in my view, to state or restate a few hard facts in those areas.
CISOs must speak the language of the business
Beyond the mindset of the first decade of the century I was highlighting in my earlier article around the “Cybersecurity as an Enabler” cliché, this type of narrative belongs to a line of thought by which stakeholders – “the business” at large – have to be convinced of the importance of cybersecurity and the need for investments.
This is typical of vendor-driven content, trying to push their own agenda towards top executives, and unsurprisingly this is still prevalent today.
This is cheap and shallow in my opinion. Frankly, anybody holding a C-level role or title should be a business person, as well as a specialist in their own field.
The problem lies in the fact that the CISO role is rarely positioned in that way and is often relegated quite a long way down the organization. Also, many CISOs are primarily technologists by trade and background who tend to see cybersecurity issues mostly through the technology prism, which is why vendors keep pushing the type of narrative we are deconstructing here.
In reality, business stakeholders do not need convincing anymore around the importance of cybersecurity; they hear about cyber-attacks every day; many would have been exposed to those types of crises in earlier jobs.
The CISO in my view needs primarily to listen to business stakeholders: They would have seen CISO after CISO coming in with grandiose plans asking for millions before leaving a few years later leaving behind very little of substance in terms of real transformation.
Cybersecurity transformation is not about buying more tools every time something new happens, as vendors would like you to believe.
After two decades of cybersecurity failure in many large firms, transformative efforts must be rooted in an understanding of where the roadblocks have been that have prevented progress in the past. Invariably, this is a process that leads to cross-silo governance and cultural issues in most firms
Building that knowledge, bridging those gaps and focusing on execution excellence will build or rebuild trust between the CISO and the business. Trust is the real currency here, and it does not feed on “language”: It feeds on leadership and delivery.
Security maturity stagnates because of chronic underinvestment
This is a variation on the same theme that keeps appearing every year around budget time and belongs to the same vendor-driven agenda.
There is no denying the fact that some firms have not invested as much as they should have over the years on cybersecurity, but overall, the problem is more complex in my opinion.
It is primarily execution failure around complex cross-silo security problems that has led to the stagnation of long-term cybersecurity maturity levels in many firms.
Execution failure builds distrust between top executives and their security team; distrust brings reluctance to invest further; that’s the engine of what I have been calling the “Cybersecurity Spiral of Failure”.
Even when the transformative agenda around cybersecurity finally hits the Board table, it cannot be left to a mere matter of investments.
Success in that space will always require, time, leadership, unequivocal ownership, accountability, advocacy and relentless drive from the top of the organization.
As many things that you won’t get simply by throwing money at the problem.
Security is everybody’s responsibility
That’s one of the oldest and most toxic clichés in the cybersecurity industry, in my view.
Of course, every employee has a role to play at their level in protecting the firm’s information assets, and the business at large.
But implying responsibility without accountability builds a dangerous narrative, and a fine line across which something that is “everybody’s” responsibility becomes “nobody’s” responsibility.
Clarity and accountability are key here, and this is not a training or “awareness” issue: It is a governance and cultural issue that has to involve HR and business leaders.
At one extremity of the argument, if you want cybersecurity to be “everybody’s responsibility”, it needs to be embedded in role descriptions, performance reviews and compensation schemes.
In practice, what is required here is a cultural bond that starts at the top and reaches across the firm, by which employees share and protect common values: Protecting what you care about is normal and natural to most people, as I was highlighting in my earlier article around the “Human Firewall” cliché.
Protecting the firm from cyber threats (any threats in fact) should be seen as one of those common values shared across the organization, and not a “responsibility” that has to be assigned and explained.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was published on Forbes on 26th September 2025 and can be found here.