What Ever Happened with Cybersecurity Strategic Thinking?

Businesses need to break out of the tactical mindsets that have dominated the past few years while their damage can still be reversed

Since the advent of the Covid pandemic in 2020, cybersecurity practices, like business at large, have been struggling with strong short-termist and tactical headwinds:

  • First, understandably, in relation with the handling of the pandemic itself, delivering and securing remote working at scale, and dealing with the increased rate of cyberattacks the pandemic triggered, as well as general business uncertainty.
  • Then as the world emerged from the pandemic, in relation with geopolitical tensions, supply chain disruptions and supply chain attacks, as well as increasing and more sophisticated ransomware threats targeting all industry sectors.
  • And finally with the release of ChatGPT in Q4 2022, in relation with some form of generalised business panic around generative AI, triggering a monumental wave of shadow IT, dwarfing in size and impact what businesses witnessed with the advent of cloud computing solutions 15 years earlier.

Not to mention:

  • Rogue isolated events such as the CrowdStrike incident in the summer of 2024, which cannot be regarded directly as a cybersecurity event but induced large scale knee-jerk reactions around crisis management and business continuity practices.
  • Political or fiscal uncertainty in many countries throughout 2024 (France, the UK, the U.S. to name a few).
  • Or the continuation of geopolitical volatility.

Little in the above was predictable or avoidable, and to a large extent, cybersecurity practices can only follow business cycles.

Still, this is a logic that has trapped CISOs in tactical games that are rarely conducive to the development of cybersecurity maturity, if that’s what’s required.

Avoiding the “firefighting trap” has always been a major challenge for transformative CISOs, but the business cycles of the last few years have been particularly hard and will leave scars.

They have aggravated already strong tendencies that have been at the heart of the cybersecurity “spiral of failure” of the last two decades.

They are also aggravating the regulatory intervention, which in the end is simply a natural market reaction to continuing cyberattacks and the perceived inadequacy of the business response.

There is still no sign of any strategic mid to long-term response to that situation in many businesses, where compliance management remains a box-ticking game, and cybersecurity, a technology discipline.

This is now a matter encompassing much more than traditional cybersecurity domains, as we have seen with CrowdStrike and other major crisis over the past few years, given the degree of hyperconnectivity businesses now require to function – something that has become even more salient since the Covid pandemic and the digitization at scale of many business processes.

It is now obviously a cross-silo matter, that requires a cross-silo strategic response in many firms: It cannot be left to the CISO or the CIO – bottom-up – to protect from within their own silos the entirety of digitalized business chains.

On those matters, businesses need to break out of the tactical mindsets that have dominated the past few years while their damage can still be reversed.

A lot is being said and written around “resilience”, but it remains an abstract concept and feels increasingly like a piece of consultant jargon. At best, it tries to address the “what” of change but rarely the “how”.

Things are much simpler, in my opinion, and change needs to start at a different level with the embedding of business protection ethics within business strategy.

The sound protection of the business from all threats can no longer be seen as some form of regulatory imposition: Working in layers, it ensures the adequate functioning of the firm (including its “resilience” i.e. its ability to continue functioning under stress) and by protecting digital trust, it protects brands, reputational assets and shareholder value over the longer term.

It may be totally new for some, but business protection has now acquired a proper strategic dimension.

Making that shift will require clear and unequivocal championing from the top in most firms, and cultural relays throughout the entire organization, but it has now become a plain matter of good leadership and good business sense.


About the Author

JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.

Featured image: Adobe Stock

more insights