Strategy and Governance /

Cybersecurity Strategy is Hard — Because Real Change Always Is

strategic change

An interview with cybersecurity global thought-leader JC Gaillard on governance, transformation, and the real foundations of resilience

 

For over 15 years, JC Gaillard has advised some of the world’s largest firms on cybersecurity strategy, governance, and organizational transformation. A seasoned industry leader, he has witnessed firsthand how companies grapple with security — often swinging between compliance checklists, tactical fire drills, and lofty aspirations of “strategic transformation.”

In this interview, JC reflects on what strategy really means in cybersecurity, why so many organizations continue to stumble, and what it takes for CISOs and executives to move beyond short-term fixes to true long-term value creation.

JC Gaillard’s perspective is a sobering reminder that cybersecurity maturity isn’t a destination reached through annual tests or compliance checklists. It’s a long-term, governance-driven journey that requires leadership, clarity, and resilience. And while that journey is hard, the organizations that embrace it are the ones most likely to thrive in a digital world where trust is the ultimate currency.

 

People often assume you must be incredibly busy working in cybersecurity. Are you?

That’s a line I hear often in casual conversations: “You must be so busy!”

The reality is more nuanced. I’m probably not as busy as people might think, and not as busy today as I was in the past. For much of the last 15 years, my work has been focused less on the daily firefighting that many associate with cybersecurity and more on advising large firms around strategy, governance, and organization.

So, my “busy” looks different. It’s not endless incident response calls at 3 a.m. anymore. It’s about guiding executives and boards to understand what a real cybersecurity strategy looks like, and how to embed it into the DNA of their organization. That’s a different kind of intensity.

 

You’ve said that many organizations take a dysfunctional approach to “cybersecurity strategy.” What do you mean?

The word strategy is often misused in cybersecurity. Too many firms confuse strategy with paperwork or with tactics.

On one side, you have organizations that treat “strategy” as a fluffy PowerPoint deck — something put together to keep auditors or regulators happy. On the other side, you have those who believe that doing a penetration test once a year is a strategy. Neither of those is true.

A real strategy isn’t a box-ticking exercise or a list of tasks. It’s about having objectives, a clear starting point, and a defined end state. What does “good” look like for your organization? What’s the maturity you want to achieve, over what timeframes? That has to be clear from the beginning — otherwise, you’re just reacting, not leading.

 

So what are the essential elements of a true cybersecurity strategy?

A proper strategy has three layers:

  1. Objectives. You need a defined target. It could be risk reduction, maturity improvement, resilience against specific threats — but it must be based on an assessment of where you are today and a clear vision of where you want to go.
  2. Means. Once you know where you want to go, you need the means to get there. And these means are always multi-tiered: People, Process, then Technology. Too often, firms jump straight to the shiny tech solutions. But technology is the what. The harder and more important layers are the how (processes) and the who (people).
  3. Governance. None of this works without governance. You need structures, roles, accountabilities, and responsibilities that are clear and accepted. Governance is what allows strategy to survive leadership changes, budget cycles, and the noise of daily operations.

Those three elements — objectives, means, governance — are the backbone of a true cybersecurity strategy.

 

If it sounds so straightforward, why do so many firms still struggle to make it work?

Because strategy is easy to talk about but very hard to do.

First, cybersecurity challenges are inherently cross-functional. They cut across silos — IT, risk, legal, HR, operations, even marketing. In organizations where governance practices are weak or fragmented, it’s incredibly difficult to stitch all that together into a coherent strategic framework. You cannot expect strong cybersecurity governance to magically appear in a firm that has weak governance overall.

Second, urgency often distorts the picture. In many cases, the conversation only lands in the boardroom after an incident, a near miss, or a crisis hitting a peer company. Suddenly, executives want answers, and they want them yesterday. The long-term strategy gets sidelined in favor of tactical fixes. The “what” of change — new tools, new controls, new policies — takes priority over the more complex “how” and “who.”

Over time, executives change, priorities shift, and the original strategic intent fades into the background. That cycle of reaction is what keeps many organizations stuck in tactical mode, never quite breaking through to sustainable maturity.

 

You’ve written about the short tenure of CISOs. Is this connected?

Absolutely. The average CISO tenure in large firms is notoriously short — sometimes less than two years.

Part of it is the frustration I just described. CISOs are often hired with a mandate for transformation, but very quickly they’re pulled into firefighting, audits, and regulatory reporting. Their strategic agenda gets derailed by tactical noise.

Executives want the CISO to both “keep the lights on” and “transform the organization” — but without the governance, resources, or patience to support real change. That’s a recipe for burnout and churn.

And every time a CISO leaves, whatever fragile progress was made often unravels. That turnover is one of the root causes behind the long-term stagnation of cybersecurity maturity levels in many firms.

 

So what does it take to make cybersecurity a true enabler of business value?

It takes courage — and a shift in mindset at the top.

First, executives have to see cybersecurity not as a cost of compliance, but as a strategic enabler of business protection and value creation. Security underpins trust, resilience, and brand. Without it, your ability to operate and grow is compromised.

Second, organizations need to commit to the mid- and long-term. Real strategic transformation in cybersecurity is measured in years, not quarters. It requires consistency, especially when starting from a low maturity base.

Finally, it requires executives to look beyond the next quarter’s numbers and share price. That’s the hardest part. But the companies that manage to do this — to embed security as a pillar of governance, culture, and strategy — are the ones that gain a true competitive advantage.

 

If you had one message for boards and executives, what would it be?

That cybersecurity strategic transformation is hard — because real change always is.

If it were easy, everyone would be mature already. The fact that it’s complex, cross-functional, and long-term is exactly why it matters.

You don’t build resilience by chasing quick wins and shiny tools. You build it by committing to objectives, investing in people and processes, and creating governance structures that last. It’s about patience, persistence, and seeing protection as value.

That mindset remains rare today — but it’s the only path to meaningful transformation.

 

 

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.