“This is no longer just about tech — if it ever was”
Surveys focused on the concerns and priorities of the CISO community have been quite consistent over the last few years, and collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom-up, disconnected from the dynamics of the business and the broader culture of their organisation.
In spite of the non-stop avalanche of cyber-attacks we have seen over the past decade, many CISOs still complain about a lack of board-level engagement and difficulties in getting sufficient budgets.
The overall sentiment is one of frustration, leading to (well-documented) shorter tenures and burnout problems.
But another aspect which is often overlooked in the background is the lack of operating structure many cyber security practices seem to have.
Instead of being built around some form of operating model that would detail processes, tasks, roles and responsibilities for all stakeholders, they seem to be driven by projects (in proactive or reactive mode) and operational tasks aggregated over time (exception management for some, privileged access management for others etc…)
In fact, in absence of a structured framework to work against, this is often the only way those cyber security practices can operate, evolving “as they go along”, in project mode or in firefighting mode.
Security awareness ends up being a perennial low-hanging fruit and an easy sell for CISOs, when they cannot find other levers, but the emphasis on developing a stronger security culture cannot be the only axis of action for the CISO.
But how can you justify budgets, attract or retain talent without a structured referential to work against, and in absence of a clear governance model, roles, responsibilities and — to a degree with regards to staff retention — clear career paths?
And again, how can you claim you do not have enough staff in absence of a target operating model, detailing tasks and the resources required to deliver those tasks? It can only be a finger-in-the-air exercise; the very kind any half-decent CFO would smell miles away.
This kind of empirical, bottom-up and organically developed cybersecurity function does not work. It has failed to protect large organisations over the past two decades and needs to evolve.
What is required is structure, business acumen and top-down engagement.
The culture of frustration many CISOs have developed is probably comfortable for some; there is always someone to blame (“the business”) and another juicy job to move into afterwards.
But it does not help organisations and society at large.
To break this spiral of failure, the profile of the CISO needs to evolve and the board needs to take ownership.
This is no longer just about tech — if it ever was. This is about protecting the business against cyber-attacks which have now become a matter of “when not if”. This is no longer something you can push down in the organisation.
If the board does not see the need — or does not feel qualified — to step in, nothing will never change for good around cyber security because it has simply become too complex and too transversal in large organisations. Bottom-up approaches will continue to pour cash down the drain and CISOs will continue to leave every other year out of frustration. And breaches will continue to happen.
If the board wants to set directions, they should drive: Appoint someone they trust and can talk to (it does not have to be a technologist) and empower that person to build or rebuild cyber security practices across the firm, in the light of what the board wants and expects.
The COVID crisis has presented most organisations with unprecedented situations, but it has not made cyber security less of a priority. On the contrary, cyber security — whether it is in support of remote working, e-commerce or digitalised supply chains — has become a pillar of the “new normal”.
Now is the time to deal with it strategically, and from the top down.