Only a cultural shift across the Boardroom can move the needle
The survey released by BT Security in January 2021 (“CISOs under the spotlight”) is interesting, if only by the size of the population surveyed (over 7,000 people) and its triple focus on consumers, employees and business leaders.
But its findings are problematic, in particular in what they reveal of the attitude of senior executives towards cyber security, and the persistence of some problems at the top.
It starts well, with some stats broadly consistent with other surveys and anecdotal field evidence: 58% saying that improving data and network security has become more important to their organisation in the last year, and 76% rating their organisations as “good” or “excellent” at protecting itself from cyber threats.
But these stats are hard to reconcile with others in the report: On page 7, the mention that “fewer than one third of business leaders rate key components of their company’s IT security as excellent” and that, broadly, they have “low confidence in the organisation’s ability to deliver the fundamentals”; Also, on page 13, the statement that “fewer than half of executives and employees can put a name to their CISO”
Without a fuller access to the underlying dataset, it is hard to draw hard conclusions, beyond the fact that clearly an amount of confusion persists with business leaders around cyber security: How can you say that security is becoming more important and that your organisation is well protected, and at the same time, be unable to name your CISO??? And what does that tell us about the profile of the CISOs in those organisations???
Another aspect, typical of those surveys, is the emphasis on getting the security basics right, and the importance of awareness development with employees.
To truly move the needle on those matters, you need to go beyond the obvious and start confronting the real underlying issues. This is something on which we already commented last year, in relation to several reports from the World Economic Forum.
Of course, getting the basics right and training employees are essential pillars of any cyber security practice, but the real question remains: Why are we still here banging about it?
Good cyber security practices such as those mentioned in the BT survey – patching, access management, etc… – have been regarded as good practices for the best part of the last two decades, and large organisations which – collectively – would have spent tens or hundreds of millions on cyber security across that period, should not be in such poor state. Period.
The underlying causes of that failure are rooted in adverse prioritisation by the business, short-termism and internal politics. All factors pointing firmly towards problems of culture and governance at the top.
Until surveys such as this one, or the ones from the WEF we commented on last year, start tackling those issues, not much will move for good around cyber security.
The same, broadly, can be said around security awareness development. Of course, it’s essential… but the “human firewall” has to start at the top of the organisation.
How can you expect staff to follow good practices and accept security constraints, if they see senior executives constantly allowed to skip the rules???
There is so much a CISO and their organisation can push horizontally across the business or bottom up, and without a clear and unambiguous endorsement from the top, the best cyber security awareness programme can quickly turn into an expensive box-checking exercise… The example must come consistently from the top, for any security awareness programme to stick and yield results.
So the CISOs are indeed “under the spotlights”, but can they really “drive the reset” induced by the “speed and scale of the digital transformation triggered by the global pandemic”? (page 13)
In the current state of affairs, probably not.
The attitude senior executives have had towards security in most organisations over the past two decades has driven towards CISO roles a certain type of people. Most are technologists, consultants or auditors by background; very few come from true business roles.
So before the CISO can “drive the reset”, it is the role itself that needs a reset. “Enterprises urgently need to elevate cybersecurity leadership” (page 13): On that point, the BT survey is spot on. But it is easier said than done.
Once again, this is something that has to come from the top and it may require a broadening of the traditional CISO portfolio towards continuity and privacy, effectively building up the role into an elevated CSO role able to reach across the organisation.
Such shift, supported at Board level and coupled with adequate compensation packages and career profiling, should attract a different type of executive and would drive change. This is the type of move we have been advocating since 2018 to address the challenges of the digital transformation and the increased demands on privacy compliance that came with GDPR.
But going back to the BT survey, to fix all this and get cybersecurity moving for good, you need to tackle the problem at Board level, not at CISO level.
It is only a cultural shift across the Boardroom which will move the needle.