Why Cyber Security is Now a Board-Level Leadership Imperative
Supporting cyber security and promoting it has now become a plain matter of good leadership
We are not hearing enough about the short tenure of the CISO.
Regular studies place it in the region of 2 years, and anecdotal evidence from my own network, based on the analysis of the profile of 15 current CISOs, points towards 30 months.
In my opinion, it is often the symptom of serious underlying issues and the cornerstone of long-term stagnation for many cyber security practices in large firms.
We have to look beyond the most commonly invoked reasons: Lack of resources, disconnect with management, and constant firefighting leading to mental health issues and burnout.
All three aspects, in my opinion, point towards the profile of the CISOs themselves.
Not all organisations are doing well and not all organisations are well managed, but it is hard to imagine one where senior executives and Board members would be insensitive to cyber security issues, given the level of media coverage of the past decade and the non-stop occurrence of cyber-attacks.
Actually, “are we spending enough on cyber?” has become a far more common question at these levels over recent years, than “why do we need to spend so much?”
In such context, CISOs failing to obtain the resources they deem necessary to do their job, should ask themselves where this is going wrong.
More often than not, the problem is rooted, not so much in the amounts involved or the storytelling by the CISOs, but in the excessively technical focus of the demands, and the trust deposited by senior executives in the CISOs themselves with regards to their ability to execute on what they are asking.
Let’s not forget that the role of the CISO is rarely a Board-level construction engineered top-down; at best, it has evolved bottom-up out of a technical context; in most cases, it is still a technical construction rooted in IT matters.
Over the past decade, many senior executives and Board members in large firms would have seen several generations of CISOs coming up with grandiose plans asking for millions to spend on tech firms and tech products, before disappearing after a few years having achieved very little in practice.
It is hard to get things done in real terms in large firms on a complex topic such as cyber security, which cuts across all corporate silos, in particular where maturity levels are low and radical change is required. It requires time, persistence, and relentless drive.
On cyber security matters, the penny has dropped years ago in the boardroom around the “when-not-if” paradigm, but CISOs need to understand how much this is changing the nature of the agenda for senior execs.
All of sudden, this is no longer just about risk – something which may or may not happen – or putting ticks in compliance boxes at minimal cost; it becomes a plain matter of business protection and as a result, the actual execution of protective measures becomes paramount.
But CISOs have been poorly prepared by the last decade for the type of management challenges involved in this shift.
They continue to understand “when-not-if” as meaning “whatever-we-do-we-will-be-breached” and to see the value they bring as being rooted simply in the short-term tactical and technical firefighting of cyber-attacks, and not so much in the actual implementation of good practices with the view of delivering a degree of long-term and lasting protection across the firm.
That’s the root of the disconnect between CISOs and many senior executives: They are often prepared to consider large investments around cyber security, but they expect to be given a sense of perspective, credible execution to follow, and some degree of protection to result from it; not just constant demands to buy more tech, covered in technical jargon, every time something happens …
All this breeds frustration; frustration breeds mutual distrust; distrust breeds unwillingness to commit resources; this is the vicious circle which feeds short tenures.
In practice, short tenures breed long-term stagnation: You don’t achieve a lot in large firms in 2 to 3 years; quite often, very little gets done beyond tactical measures and alleged technical low-hanging fruits; almost always, projects which have started are aborted or left unfinished, as the next CISO has other views, or business priorities have changed.
To break this spiral of failure, in particular where maturity is low and things need to change, the Board needs to take ownership, assign clear responsibility for cyber security to a senior executive they trust at their level, and start driving the topic top-down with a sense of long-term perspective, looking beyond the day-to-day of the business.
Board members often object that they simply don’t have the skills to do that, but in my opinion, it is a misconception, and they must not stop at that hurdle: Cyber security is not just a technology problem; it never was.
It is a problem rooted in culture and governance, which happens to have a technology dimension like almost everything large enterprises do.
Getting the governance right from the top down around cyber security is a plain leadership matter which fits perfectly in a Board agenda, and the necessary start to embed the right business protection culture in each and every corporate silo.
Middle management needs to see the right attitude, the right example and the right message coming consistently from the top around cyber security, and in most cases, given the right support, they will follow.
Good cyber security is quite simply good business; it protects the firm and its customers and builds resilience; supporting it and promoting it has now become a plain matter of good leadership.