Time to move away from bottom-up dynamics: The Board should decide on priorities and drive the discussion
It is still amazing to see the amount of content online dedicated to justifying cyber security investments or convincing the Board…
This is difficult to match with field experience: As we have been saying repeatedly since 2019, the penny has dropped or is dropping in many boardrooms, in the face of the non-stop epidemic of cyber-attacks we have seen over the past decade, which was even aggravated by the COVID crisis.
Cyber-attacks are now seen as a matter of “when” not “if”: This is no longer, strictly speaking, a matter of risk (something which may – or may not – happen and has a probability of occurrence) but a matter of certainty, and as a result, the attitude of senior executives has shifted with regards to cyber security.
Today, questions around “are we spending enough on cyber?” are more common across the boardroom than “why do we need to spend so much?”.
In many large organisations, the Board no longer needs convincing that cyber security investments are required: The Board needs to be given assurances that delivery and execution will follow; in that respect, quite a lot of the arguments developed online around the topic seem to be going back several decades.
Board members and senior execs “have been there before” with cyber investment plans. Many large organisations would have spent millions or tens of millions with tech vendors and large consultancies over the past two decades, just to see a fresh-face CISO (often the last one in a long line) coming back asking for more money to buy more tech, arguing that threats keep morphing and that the world is about to end unless they buy more tech, all that backed by endless reports from tech vendors and their pet consultants…
CISOs – in particular incoming CISOs – have to change their narrative to avoid unnecessary discussions: This is no longer about risk reduction or ROI with the Board; in real terms, those ships sailed long ago… and CISOs facing those types of questions must ask themselves the hard questions and face why…
The focus since the start of the COVID crisis has been on tactical and technical initiatives around cyber security, but those are rarely truly transformative, and many would just have added various layers of tech legacy on top of already-crowded security estates.
CISOs must start focusing on softer matters and showcase their ability to execute because the priorities have to be on protecting the business now and in the longer term from real and imminent threats.
It has to start by demonstrating a sense of context, both in terms of business cycles (not all industries have done well throughout the COVID crisis) and also in terms of security investment cycles: Very few organisations are pure green fields in terms of cyber security and almost always, there will be a legacy of cyber security investments and practices to deal with: What happened to last investments? Were they rightly targeted? What did they achieve (or failed to achieve)? What has prevented sufficient progress?
Showing an understanding of where roadblocks have been in the past, looking over the right timeframes, and focusing on transformative initiatives which can actually be delivered in real life given the business context and available skills and resources, should be key to convincing the Board that new forces are at play and that a transformative dynamic is being established to avoid repeating the mistakes of the past.
This is likely to take the CISO into the fields of governance and culture, not technology – both within IT and the business – and those themes should resonate with the Board and give them something they can relate with and address. Because fundamentally, this is what matters most: That the Board needs to take ownership of the real cyber security agenda and start driving it top-down, at their level, in terms they can understand and manage, removing roadblocks and looking beyond tech, and pure tech matters are driven bottom-up.
From that point, it should no longer be a matter of convincing the Board of anything around cyber, but of delivering on what they expect.