Strategy and Governance /

Cybersecurity Strategic Transformation: Why Is It So Hard?

cybersecurity strategic transformation

Why governance, people, and long-term vision matter more than flashy slides

 

“You work in Cybersecurity? … you must be so busy …”

To be honest, I get that quite often in casual conversations…

In fairness, I am probably not as busy as I would like to say the truth, and not as busy today as I might have been in the past.

For the best part of the last 15 years, I have been advising large firms around cyber security strategy, governance and organization issues.

I must say the cybersecurity industry and many of its senior practitioners have a slightly dysfunctional, almost schizophrenic approach to strategy: From those who see their strategy as a fluffy powerpoint deck to keep auditors or regulators happy, to those who think that doing a pen test every year is a strategy.

Without getting into a lofty debate about “what is strategy”, I think it makes sense to state or restate a few points.

First of all, a strategic approach must have objectives: It could be a matter of risk reduction, it could be a matter of maturity improvement, but it must be rooted in some form of assessment of a starting point and the statement of a desired end point, to be reached over realistic timeframes. What “good” will look like in the end must be clear from the start.

It must have means to achieve those objectives. Practical as well as organisational means. Those must be multi-tiered: People, Process then Technology. This is never just about “what” needs to be done (technology), but “how” it will be done (process) and by “whom” (people).

Which means any strategic initiative needs to be backed by an appropriate governance structure with accepted roles, accountabilities and responsibilities.

Those points may be stating the obvious to some readers, but the message remains hard to convey around cybersecurity.

Why is it the case? There are mainly two groups of reasons in my view.

First of all, the inherently cross-functional, cross-silo nature of many cybersecurity challenges make the full strategic formulation complex, specially in firms where governance practices are not well structured.

You cannot expect a strong and formal cybersecurity governance model to emerge in firms where corporate governance at large is weak or organic.

And without some form of clear and established cybersecurity governance model, most transformative efforts in that space fail over time in my experience.

Second, the transformative urgency around cybersecurity often hits the Boardroom table in the context of an incident, a near-miss, or a large-scale event affecting another industry player (the “can-it-happen-to-us?” scenario CISOs know all too well).

While a long-term strategic agenda is often demanded by senior executives, sometimes to satisfy regulators or shareholders, it is often obscured by short to mid-term tactical measures, which quickly become the focus of all actions. The “what” of change is invariably prioritised over the most complex “how” and “who” transformative dimensions.

Over time, business conditions evolve, executives come and go, and the reasons behind the original transformative agenda fade away in the background.

Many large firms operate in that way on all matters. You cannot expect cybersecurity strategic focus to be strong in a context where business strategic focus – at large – is weak.

This is why cybersecurity strategic transformation is hard. Hard to sell and hard to deliver.

It is the context that feeds CISOs frustrations and their endemic short tenure, which, in turn, has become one of the root causes of long-term stagnation of cybersecurity maturity levels in many firms.

Cybersecurity strategic transformation will always take time, in particular where initial maturity is low.

What is key here is the true ability of the firm and its executives to think and act over the mid to long-term and to see business protection, at large, as a strategic enabler and a pillar of value creation. It means looking beyond the next quarter numbers and the share price. And that remains quite rare in many firms.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.