More than ever, simply throwing money at tech vendors while ignoring underlying cultural and governance issues will not cut it in the years ahead.
Every year around November, and for a few months, predictions of all sorts start to appear for the coming year. It has to be seen as a journalistic tradition more than anything else. All this is cheap to make, and nobody is ever held accountable for getting it wrong (or praised for getting it right).
The cybersecurity industry is not immune from it, but the least that can be said of many security predictions is that they are very … predictable: Vendors push their products, experts push their pet subjects, many so called “predictions” are simply a statement of the obvious (e.g. “ransomware is here to stay”).
The reality is that the security industry has been evolving over much longer cycles and little of its evolution can be structurally framed within the next 12 months of the Gregorian calendar.
When we approached the question of analysing the evolution of cyber security over time with the Security Transformation Research Foundation in 2019, we did it in a quantitative manner by exploring the evolution of the language used over the past two decades to talk about cyber security matters, through a word count analysis of 17 consecutive Global Information Security Surveys from EY.
The results were quite staggering and showed quite clearly a first decade dominated by considerations of risk and compliance, and a second dominated by considerations of threats and incidents. Those are the real timeframes we need to consider when looking at the ways the security industry is evolving.
We called that second decade (spanning up to 2019) the “Realisation Decade” to highlight the fact that cybersecurity was less and less seen as a balancing act between risk appetite, compliance requirements and costs, and more like a necessary barrier against real threats (in a context of massive technological change and the aftermath of a historical financial crisis).
Our prediction – at the time i.e. pre-pandemic – was that the next decade (the one we are now going through) would be an “Execution Decade” dominated by the “when-not-if” paradigm around cyber-attacks, cybersecurity transformation being gradually seen as an imperative, in a context of significant maturity deficit in many firms (and potentially massive regulatory fines).
Obviously, the Covid pandemic was not on our radar at the time, and it has had a very significant impact for most firms. It has not pushed cybersecurity off the agenda, far from it, but it has aggravated pre-existing short-termist tendencies, at least at the start of the crisis and during the following lockdown periods.
Looking back at the evolution of the security industry over 2022, I think our perception of the situation in 2019 was the right one, and many firms are continuing to engage in large scale transformative efforts around cyber security, driven for some by the lessons learnt during the pandemic.
Looking at the years ahead, I would change very little to our 2019 conclusions:
More than ever, simply throwing money at tech vendors while ignoring underlying cultural and governance issues will not cut it.
The profile of cybersecurity leaders will be key to drive change, and top management has to acknowledge that now is the time for them to step in and take a real strategic ownership of the matter.
As I wrote back in August, “Good cybersecurity is quite simply good business; it protects the firm and its customers and builds resilience; supporting it and promoting it has now become a plain matter of good leadership”.
Wishing all our readers, partners and friends a very happy, healthy and prosperous 2023.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.