Debunking Three Cliches Deeply Entrenched in the Cybersecurity Industry Echo Chamber

 

I have been writing about cybersecurity leadership, management and governance issues since 2015.

What drove me to writing, was primarily the dramatically low level of cybersecurity maturity I was coming across in many large firms as part of my day-to-day field work as a consultant.

For me, it was difficult to understand why corporations that would have had cybersecurity practices – and budgets – for decades were still struggling with fundamental pillars of good practice such as identity management or patch deployment.

Analysing and highlighting the dynamics of what I ended up calling the “cybersecurity spiral of failure” has been at the heart of my work throughout the last ten years.

Another aspect that has been fascinating for me over the past decade is also the number of topics that keep coming up cyclically in cybersecurity articles, and how the same analysis keeps being pushed without hardly any critical sense by writers and journalists in what has effectively become a typical echo chamber (and it started way before generative AIs started writing those pieces).

In this article, I would like to deconstruct three of those which in my view embody the problems still facing the cybersecurity narrative and highlight why it is key to avoid shallow and outdated positions on those matters.
 

Cybersecurity as an Enabler

This is typical of a mindset that goes back to the first decade of this century, in what was still the early days of cybersecurity practices (the first CISO jobs appeared in the late 90s).

Senior executives used to see cyber-attacks as low probability / low impact events that would be dealt with if and when they occur, and compliance requirements as an arbitrary regulatory imposition.

Many CISOs and their consultants built the “cybersecurity as an enabler” narrative to try to break those deadlocks, in an attempt to reach into some form of business logic.

But by doing so, they were simply ignoring endemic short-termism and deep-rooted cognitive biases at the heart of the business attitude on the matter, and there is no evidence that the “enablement” narrative ever worked, beyond generating headlines across the industry.

As we showed with the Security Transformation Research Foundation in 2019 analysing the cybersecurity evolution across the first 2 decades of the century, it is the advent of the cloud and the acceleration of cyber-attacks it triggered after 2010 that led to a change in perception, the dominant centre of interests for executives shifting from risk and compliance to incidents and breaches.

The second decade of the century became truly a “realisation decade”, during which cybersecurity gradually started to be seen as a necessary barrier in the face of real threats: Not something that needs to be justified to “enable” the business to function, but something that needs to be in place to “protect” the business, its customers, its brand and shareholders value.
 

The CIO / CISO Conflict of Interest

This is also typical of the some outdated mindset and is often heard, even nowadays, in relation to the CISO reporting line.

This is one of the first topics I wrote about in 2015 and at the time, it was already one of the oldest fixations in the cybersecurity industry.

It is conceivable that 20 years ago, some CIOs might have followed their business bosses in their low probability / low impact assessment of cyber threats and denied CISOs the resources they were asking for.

Every CIO has the right to choose the battles they want to fight, and this one was often seen as too difficult.
Given the avalanche of cyber-attacks we have been seeing over the past 15 years, I don’t think this type of attitude is common today, or even sustainable.

As a matter of fact, business leaders are – for most of them – well aware of the inevitability of cyber-attacks, and “are we spending enough on cyber?” has become a question more common towards CIOs than “why do we need to spend that?”.

Organisations where this mindset persists have a deep-rooted problem and are probably in denial about the state of their cyber exposure. Wherever you place the reporting line of the CISO in those organizations, the problems will probably remain.
 

The Human Firewall

This is a more recent line of thought that has emerged throughout the last decade in the face of the sophistication of cyber threats and tends to see security training and awareness development as the central pillar of any cyber strategy.

To me, this is short-sighted, even if there is no denying that cybercrime targets people and that social engineering is key in many attack patterns.

What is deluded here is to believe that you can change people’s attitude at this level by explaining to them what to do or not to do, and broadly speaking, get them to change their attitudes through logic and reasoning.

Many unsafe attitudes in the office are rooted in unsafe social practices and cognitive biases, and changing those require a cultural shift, not just training.

Fundamentally, you protect what you care about, and it is only a sense of care for the firm, its values and its people, that can lead to an embedded desire to protect the firm’s data and information assets.

That has to start with the leadership team embodying the right example and needs to cascade down from the very top of the organisation.

So there is indeed a “human firewall” but it is a cultural one driven from the top, not one driven bottom-up or sideways by CISOs through tools and leaflets.