Strategy and Governance /

The Cybersecurity Spiral of Failure (and How to Break Out of It)

spiral

Trust between CISOs and senior executives is the only platform on which successful transformative efforts can be built around cyber security.

 

For the past two decades, many organizations have been trapped in a spiral of failure around cybersecurity, driven by endemic business short-termism and the box-ticking culture of many executives around compliance.

Cybersecurity is a complex matter that needs to reach a long way out of its native technical niche, towards business and support functions, and across geographies.

Successful transformation in that space takes time because of the need to reach across those, and effectively embed secure practices across the culture of the firm.

In real-life, many senior executives struggle with a genuine long-term view. “In the long-term we are all dead” and many CISOs coming up with multi-year transformative plans would have been forced by their bosses to focus tactically on alleged quick-wins and compliance box-ticking measures to get their plans accepted, before seeing their initiatives deprioritized at the first sign of any business development (merger, acquisition, arrival or departure of senior executives, economic downturn or anything else)

All this has been fuelling the short-tenure of CISOs and the succession of cyber security leaders – each coming in with their own priorities, pet subjects and pet products – simply led, in many firms,  to an accumulation of poorly-deployed, under-utilized “solutions”, invariably architected around the specific capabilities of individual technical tools.

This proliferation of technical debt has reached colossal proportions, with a TrendMicro survey (amongst others) suggesting last year that “global organizations have on average 29 security monitoring solutions in place”.

It breeds a level of operational complexity which is highly expensive to run, but also talent-attritive due to the inherently manual nature of the processes it creates; we have reached a point where many security practices have become impossible to scale up in their current state due to the ongoing tensions on the skills market.

SOC analysts burnout; breaches keep happening and senior executives develop a sense that cyber security is just a cost and a problem, which compounds their distrust and reluctance to commit resources (in the face of endemic execution failure in that space), and their native short-termist and box-ticking tendencies (in the face of endless incidents and the regulatory pressure that situation brings).

cybersecurity spiral of failure

Many CISOs think this is a cycle that that has to be broken at the top, by convincing the business of the value of cyber security to unlock strategic long-term dynamics.

This is the line of thought that has produced endless material over the past two decades about “cybersecurity-as-an-enabler” and “return-on-security-investment”.

This is often a very hard line to follow in practice, as it generally pitches the CISO (bottom-up) against deeply-rooted business mindsets, and dysfunctional practices which (almost always) span a long way further than cyber security: Do not expect cyber security governance to work well, in an organization where corporate governance is broken; do not expect cyber security projects to deliver, in an organization where projects don’t deliver… Those are not problems the CISOs on their own can address.

In my experience, this complex endeavour often leads to nowhere, aggravating further the short tenure of CISOs.

CISOs may encounter more success tackling the problem at operational level (at the bottom of our spiral) and prove their worth by making cyber security work for the firm, reducing operational complexity, bringing costs under control, improving on analysts retention (and mental health), and ultimately, showing that an effective and efficient security operational practice does prevent breaches.

Dealing with the cyber security technical debt will invariably involve working at a number of levels:

  • Focusing on process and people first, to kill the dynamics and the culture by which buying more technical tools is the answer to any security problem (in spite of what vendors would like you to believe);
  • Decluttering the existing cyber security technical estate by streamlining operational processes and removing useless legacy layers;
  • Focusing security automation of improving the efficiency of analysts by removing or simplifying manual tasks, so that they can dedicate more time to the higher value jobs for which they were trained and hired (incident management or threat intelligence for example).

This is also about turning cyber security from a problem and a cost, into a success story: A positive force that protects the business – effectively and efficiently.

Trust between CISOs and senior executives is the only platform on which successful transformative efforts can be built around cyber security.

Operational success should breed trust, and trust should bring management attention and resources beyond the immediate horizon, effectively breaking the spiral of failure of the last decades.

 

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was originally published on Forbes on 29th November 2022 and can be found here.