Leadership Development /

The Cybersecurity Numbers Game is a Dangerous One for CISOs

cybersecurity numbers game

The Real Long-term Currency Here is Trust

Which vendor cybersecurity survey are we meant to believe?

This one — from Panaseer — arguing that CISOs would require a 40% increase in their budgets to be confident to mitigate security risks?

Or this one — from Expel — stating that 26.7% of security budgets were left unspent in 2022 in the UK?

Let’s start by repeating the obvious: This is vendor-led content, more than “proper” research. Those surveys claim to analyse results from hundreds of respondents — and those numbers are probably true — but little analytics is generally applied to the data beyond the calculation of percentages and the commentaries alongside the data are always tainted by the views of the sponsors and the potential use cases of their products.

They should be seen as indicators, nothing else; but they often match an amount of anecdotal evidence we collect in the field regularly.

In fact, those two surveys don’t really contradict each other, but they certainly paint a contrasted picture, and it feels strange that the CISOs asking for more money could be the same who actually struggle to spend it.

It might sound counter-intuitive, but I think that the CISOs struggling to spend it are more likely to be the — rare — ones who did get that large budgetary increase in their last round.

There is no doubt in my opinion that a vast proportion of security budgets in large firms is used to prop-up legacy processes, and the monumental technical debt of security estates built around countless tools. Toolkit consolidation is a necessity in large firms: They simply cannot continue to operate the bloated security estates and manual processes of the past, given the current constraints on skills, the mounting regulatory pressure and the constant escalation of threats.

It is a mistake to think that this can be solved quickly and simply by throwing more money at the situation.

Transformative efforts need resources of course, but they also need time, vision, and drive. And support from above in manners that exceed budgetary commitments because cybersecurity is, by essence, cross-functional.

This is where many CISOs go wrong in building up their case towards decision makers: They think this is a rational argument, to be won with facts, data and numbers.

This is the school of thought that has led to the creation of countless security ROI and cost-cutting models, and some of those models might have served their purpose in some situations: After all, they offer the appearance of science and being visible at spending around cybersecurity protects top executives; it puts ticks in the right boxes with auditors and regulators — at a time where personal liability is becoming a top concern for many — and if breaches keep happening, execution failures can be blamed on the CISO who becomes the natural scapegoat.

Without realising it, CISOs playing that sort of numbers game often end up weakened and exposed.

In fact, even when taking up a new job and finding a clear legacy of underspending and underbudgeting, CISOs must not start by asking themselves “how do I justify spending more” but “where does that situation come from”.

Long-term battles with top execs are not fought and won in the field of numbers. They belong to a different terrain.

The real long-term currency here is the trust between the CISO and the rest of the leadership team.

And it has to start by the CISO listening to all stakeholders, their constraints, their problems and their priorities — instead of telling them upfront what they’re doing wrong and what needs fixing, always pushing a technical agenda.

With trust as its foundation, the dialogue between the CISO and stakeholders acquires a different dimension.

Top executives run the firm: They know its strengths and weaknesses, its culture, its governance intricacies, its difficult personalities and its territorial wars.

They will also have an appreciation of cyber risk — at their level — because it’s constantly in the news and many would have been exposed to it, in their current job or elsewhere.

This appreciation will be rooted in the broader risk context the firm is facing, and in its general risk management practices. This is well illustrated by this great piece from McKinsey (“Actions the best CEOs are taking in 2023” — 15th March 2023)

That’s the context CISOs need to grasp and in which their approach needs to be rooted, before jumping to ready-made technical assumptions and asking for millions.

If they achieve it and connect their demands — and their delivery — to the expectations of senior executives, they stand a chance of entering a virtuous circle where trust breeds success and success breeds trust, and start to break up the endemic spiral of failure that has been plaguing cyber security practices for the last two decades.


JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.