You cannot expect the CISO on their own, bottom-up, to reverse widespread business dynamics, where short-termism prevails everywhere across the business.
I have written at length about the difficulties many large organizations encounter with cybersecurity, and their endemic execution problems when it comes to protecting themselves from cyber threats.
While the diagnostic is relatively clear in my view, there is one aspect that needs repeating, and frames the entirety of the problem in many firms.
You cannot expect cybersecurity projects to deliver in firms where projects – in general – don’t deliver; where there is no accountability against original objectives; where no-one looks beyond alleged quick wins in ANY project.
With business projects, in the end, it all boils down to well-established business concepts: Return on investment, customer acquisition costs, time to market, etc… : You kill or stop (or reframe) a project when it costs too much, goes too slow, or because business priorities have shifted. You simply cut your loses and everyone moves on. It happens all the time, and those decisions may involve multi-million investments; amounts many CISOs would like to have at their disposal in those firms, and which dwarf the costs of most cybersecurity initiatives.
Some firms are in constant upheaval, constantly churning out new initiatives in spite of whatever may be already underway, constantly killing or repositioning ongoing projects.
For some, it’s simply their way of working, taking to an extreme the Zuckerberg “go-fast-and-break-things” principle. This is often seen as a sign of good business health and a strong market; as long as there is growth and profits are good, the guys upstairs won’t really care.
At the other end of the spectrum, some firms exhibit similar symptoms for the opposite reasons: Because they are struggling to keep the lights on and are constantly juggling with existential threats.
Don’t expect cybersecurity projects to do well, where what I have highlighted here is the dominant business mindset.
Why? Because very often there is no real quick win for those projects, after two decades of adverse prioritisation and constant arbitration between costs, regulatory compliance and some form of – often simplistic or misguided – appreciation of risk appetite (“we’ll accept the risk” becoming the ultimate bullet that brings all discussions to an end).
Where cybersecurity maturity is low and has been low for ages, transformative initiatives cannot be driven simply by the deployment of some technical solutions. They need to reach into business and support practices, and preferably in that order: Process, People, then Technology.
Focusing on technology first and stopping at alleged quick wins, before the initiative is killed or deprioritised, simply achieves nothing around cybersecurity.
Over time, technical debt piles up; operational complexity breeds manual processes; manual processes breed attrition, in an already tough skills market; security analysts burn out and breaches keep happening.
Only putting things in the right perspective in terms of timeframes, looking over the mid to long-term and thinking in terms of Process and People first (then Technology), can be transformative on a subject as complex and cross-functional as cybersecurity.
It’s much harder for CISOs than buying the next shiny tool, leaving after two years with the whole thing half-finished, and blaming “the business” in the process.
But it’s the only way forward around security transformation: To succeed, it requires management experience, personal gravitas and political acumen on behalf of the CISO: Leadership skills in one word, more than raw technical skills.
But you cannot expect the CISO on their own, bottom-up, to reverse widespread business dynamics, where short-termism prevails everywhere across the business.
It requires unambiguous, visible, credible and constant support from a cybersecurity champion at the top of the organisation.
That combination – of an experienced CISO who is a real business leader more than a technologist, and a respected top exec ready to throw their weight into the battle – is the real and ultimate secret sauce around cybersecurity transformation.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was published in Forbes on 11th December 2023 and can be found here.