Cybersecurity is Not Working: Time to Try Something Else

Cybersecurity is Not Working: Time to Try Something Else

The bottom-up approaches most have been pushing for 20 years around cybersecurity have simply failed

I think it is time to accept that the role of the CISO, in its historical construction, was never born out of a positive and proactive management decision.

It was very rarely created – at first – in response to the true realization by senior management of the need to protect the business from real and active threats.

The original iteration of the role, in the late nineties for the early adopters, belongs to that first decade of infosec, which was entirely dominated by risk and compliance considerations: The Security Transformation Research Foundation established this quite clearly through its 2019 semantic analysis of the content of 17 annual Global Security Reports from EY.

Information security was simply seen by senior execs as a constant balancing act between regulatory compliance, risk appetite, and – above all – costs.

The role of the CISO appeared in that context at best in response to audit or regulatory observations, at worst, at their imposition, and almost as a necessary evil in some cases.

Of course, the role has evolved since then, but an entire generation of security practitioners has been trapped in a bottom-up mindset, always in search of ways to justify its legitimacy towards the business.

This is amply demonstrated by the endless debate around the CISO’s reporting line, and in particular the obsession of some with a board-level reporting, or the evolution of the role in some firms towards IT Risk or Information Risk constructions, attached to a broader Enterprise or Operational Risk function.

Generally, those moves, all well-intentioned and aimed at broadening the acceptance of necessary security measures across the firm, have rarely worked to a full extent.

Over two decades, those bottom-up approaches have collided with endemic corporate short-termism and dysfunctional corporate governance practices and have failed to deliver essential levels of good practice, and to protect against constantly evolving threats, as demonstrated by the endless string of cyber-attacks we are witnessing today.

All this has left many CISOs frustrated and is fuelling their short tenure, short tenure which – by itself – has become the root cause of the long-term stagnation of cybersecurity maturity in many firms.

But now, in addition, the agenda is shifting at board level. Cyber-attacks are increasingly seen as a matter of “when”, not “if”, weakening all lines of discussions that have tried over the years – bottom-up – to talk about cybersecurity in terms of risk and bringing it closer to corporate risk practices in a quest for legitimacy.

Risk is about things that may or may not happen; it can be accepted, transferred, mitigated.

The “when-not-if” paradigm around cyber-attacks pushes the debate into a different dimension.

And many CISOs are not really prepared when the dialogue with top execs shifts overnight from “why do we need to do this?” to “how much do we need to spend?”.

This is no longer about “convincing” them about an alleged “return-on-security-investment”, but about getting things done, and getting them done now.

But many CISOs, changing jobs every 2 years or so, have not learnt to get things done in large firms; they have not developed the political acumen and the management experience they would need.

Many have simply remained technologists and firefighters, trapped in an increasingly obsolete mindset, pushing bottom-up a tools-based, risk-based, tech-driven narrative, disconnected from what the board wants to hear which has now shifted towards resilience and execution.

This is why we may have to come to the point where we have to accept that the construction around the role of the CISO, as it was initiated in the late 90s, has served its purpose and needs to evolve.

The first step in this evolution, in my opinion, is for the board to own cybersecurity as a business problem, not as a technology problem.

It needs to be owned at board level in business terms, in line with the way other topics are owned at board level. This is about thinking the protection of the business in business terms, not in technology terms.

Cybersecurity is not a purely technological matter; it has never been and cannot be. The successful protection of the business from cyberthreats requires to reach across corporate silos, including IT of course, but also business and support functions and geographies.

There may be a need to amalgamate it with other matters such as corporate resilience, business continuity or data privacy to build up a suitable board-level portfolio, but for me this is the way forward in reversing the long-term dynamics, away from the failed historical bottom-up constructions, towards a progressive top-down approach.

I refute the idea that board members would not have the necessary skills to drive a meaningful top-down engagement around a subject as specific as cybersecurity.

To me, this is just a remnant and the last line of defence of the tech-focused bottom-up spirit that has been dominating for over two decades.

Board members may not have the skills to drive a top-down engagement in the way bottom-up engagements have been framed for the past 20 years, but that doesn’t mean that they would not be able to comprehend the matter, owning it and driving it at their level and in their own terms – possibly with some external assistance.

The hard reality is that the technology-focused bottom-up approaches most have been pushing for 20 years around cybersecurity have not worked.

It is simply time to try something else.

This article is the foreword to my second book “The Cybersecurity Spiral of Failure – and How to Break out of It” released in January 2024 >> Buy it HERE on Amazon

Have Your Say: