The time has come for top leaders to own the problem back and address it as they would any other business challenge
Cybersecurity budgets appear to be on the rise, driven by increasing regulatory pressure and relentless threats.
In fact, there is still a dominant line of thought in the industry pointing towards chronic underinvestment as being the underlying cause behind low levels of cybersecurity maturity in many firms.
To me, this is at best simplistic, at worst misleading.
Even if you buy into the argument, the real question here should be “why?” have large firms been so reluctant to invest in protecting themselves from cyberthreats.
Cybersecurity good practices have been formalising themselves for over 30 years, and the last decade alone has been plagued by endless cyber incidents targeting all industries. Surely there is enough evidence pointing towards some form of inevitability behind cyber-attacks: It is hard to imagine any senior executive or board member who would dispute the importance and the relevance of cyber risk. As a matter of fact, it regularly tops the list of key global risks.
To me, reluctance to invest more in cybersecurity often points to a different side of the argument: It is chronic execution failure in that space that makes top leaders cautious.
And execution failure around cybersecurity is rooted in one simple fact: For as long as they have tried to address the issue, most firms have simply treated it as a pure technical matter, to be resolved purely by technical means.
Cybersecurity is more complex than that: Protecting the firm from cyberthreats requires the ability to reach across corporate silos, beyond IT, towards business and support functions, as well as digitalised supply chains.
You can throw as much money as you like to the problem, but if you give it to a technologist CISO to resolve, they will address it as a technology matter. They will put ticks on compliance checklists. They will close down audit points. They will deal with incidents and put out fires. They will deploy countless tools (to the point where this is now becoming a major operational issue). But they will not change the culture of your organisation around business protection and breaches will continue to happen as threats evolve.
A lot has been said and written about the role of the “transformational CISO”, but I doubt there are many practitioners in the current generation of CISOs who can successfully wear that mantel.
Simply because most have spent the last decade firefighting cyber incidents and have never been able to project a transformative vision over the mid to long-term, let alone deliver it. They have not developed the type of political finesse, of personal gravitas, of leadership in one word, that they would require to be trusted and succeed at delivering a truly transformative agenda across the complex and political silos of the modern enterprise.
So beyond throwing money at the problem, what is required with cybersecurity transformation is a true focus on the “how” of change, not just the “what”, and that should bring out mechanically and naturally the question of “who” should lead change in that space.
To me, the time has come for top leaders to own the problem back and address it as they would any other business challenge.
It requires clear ownership from the top and the seniority of an executive visible, audible and credible across the whole firm and all its silos, and therefore able to carry accountability for the genuine execution of cybersecurity protective measures at the level where they are required.
This is the path towards a Chief Security Officer (CSO) type of role which I have been advocating for a while, and I think this is going to become a true necessity in large firms sooner than later.
About the Author
JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.
