JC Gaillard, Founder & CEO, Corix Partners | Board Advisor | Non-Exec Director | Author “The Cybersecurity Spiral of Failure”
I have been writing about cybersecurity leadership, management and governance issues since 2015. What drove me to writing was primarily the low level of cybersecurity maturity I was coming across in many large firms as part of my day-to-day field work as a consultant.
For me, it was difficult to understand why corporations that would have had cybersecurity practices—and budgets—for decades were still struggling with fundamental pillars of good practice, such as identity management or patch deployment. Analyzing and highlighting the dynamics of what I ended up calling the “cybersecurity spiral of failure” has been at the heart of my work throughout the last 10 years.
Another aspect that has been fascinating for me over the past decade is the number of topics that keep coming up cyclically in cybersecurity articles, and how a similar analysis keeps appearing in what has effectively become a typical echo chamber (and it started before generative AI started writing those pieces).
In this article, I would like to deconstruct three of these ideas, which in my view embody the problems still facing the cybersecurity narrative and highlight why it is key to avoid shallow and outdated positions on those matters.
Cybersecurity As An Enabler
This is typical of a mindset that goes back to the first decade of this century, in what was still the early days of cybersecurity practices (the first CISO jobs appeared in the late ’90s). Many senior executives used to see cyberattacks as low-probability/low-impact events that would be dealt with if and when they occurred, and they often saw compliance requirements as an arbitrary regulatory imposition.
CISOs and their consultants built the “cybersecurity as an enabler” narrative to try to break those deadlocks, in an attempt to reach into some form of business logic.
But by doing so, I noticed they were ignoring endemic short-termism and deep-rooted cognitive biases at the heart of the business attitude on the matter, and there is no evidence that the “enablement” narrative ever worked, beyond generating headlines across the industry.
As my organization showed in 2019 when analyzing the cybersecurity evolution across the first two decades of the century, it is the advent of the cloud and the acceleration of cyberattacks it triggered after 2010 that led to a change in perception, with the dominant center of interests for executives shifting from risk and compliance to incidents and breaches.
The second decade of the century became truly a “realization decade,” during which cybersecurity gradually started to be seen as a necessary barrier in the face of real threats: not something that needs to be justified to “enable” the business to function, but something that needs to be in place to “protect” the business, its customers, its brand and shareholder value.
The CIO/CISO Conflict Of Interest
This is also typical of the same outdated mindset and is often heard, even nowadays, in relation to the CISO reporting line. This is one of the first topics I wrote about in 2015, and at the time, it was already one of the oldest fixations in the cybersecurity industry.
It is conceivable that 20 years ago, some CIOs might have followed their business bosses in their low-probability/low-impact assessment of cyber threats and denied CISOs the resources they were asking for. Every CIO has the right to choose the battles they want to fight, and this one was often seen as too difficult.
Given the avalanche of cyberattacks we have been seeing over the past 15 years, I don’t think this type of attitude is common today, or even sustainable.
As a matter of fact, business leaders—most of them—are well aware of the inevitability of cyberattacks, and “Are we spending enough on cyber?” has become a more common question for CIOs than “Why do we need to spend on that?”
Organizations where this mindset persists often have a deep-rooted problem and may be in denial about the state of their cyber exposure. Wherever you place the reporting line of the CISO in those organizations, the problems will likely remain.
The Human Firewall
This is a more recent line of thought that has emerged throughout the last decade in the face of the sophistication of cyber threats, and this view tends to see security training and awareness development as the central pillar of any cyber strategy.
To me, this is short-sighted, even if there is no denying that cybercrime targets people and that social engineering is key in many attack patterns. What is misguided here is to believe that you can change people’s attitude at this level by explaining to them what to do or not to do, and broadly speaking, get them to change their attitudes through logic and reasoning.
Many unsafe attitudes in the office are rooted in unsafe social practices and cognitive biases, and changing requires a cultural shift, not just training.
Fundamentally, you protect what you care about, and it is only a sense of care for the firm, its values and its people that can lead to an embedded desire to protect the firm’s data and information assets. That has to start with the leadership team embodying the right example and needs to cascade down from the very top of the organization.
So there is indeed a “human firewall,” but it is a cultural one driven from the top, not one driven bottom-up or sideways by CISOs through tools and leaflets.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
