The CISO, the CSO and the Future of the Cybersecurity Organization
For many firms, it is a cultural transformation that is required, not just the implementation of some new tools.
?
Recent surveys continue to paint the picture of a fairly unhappy CISO community, hopping from job to job, trapped in failed and endless bottom-up games with senior executives in their attempts to justify their views of what needs to be done to protect their firm from cyberthreats.
The situation is almost presented as an unavoidable paradigm: Very few analysts question how and why the cybersecurity industry ended up in such state, or how to break out of it.
At the heart of the matter, lies the fact that, for over two decades, most firms have simply treated cybersecurity as a technical discipline
The current generation of CISOs is mostly made up of technologists by trade, background and for many, vocation. They have been pushing – bottom up – for over two decades a technology-driven, tool-driven agenda which, broadly speaking, has failed, and the acceleration of cyber threats linked to unstoppable technological and business evolutions has trapped them in the endless firefighting of cyberattacks, a painful dynamic that has prevented them from developing the leadership and management depth they would now need to reach credibly towards business communities.
Because over the past decade, the penny has dropped with many business leaders: Most are no longer in denial about the inevitability of cyber-attacks, the devastating impact they can have and the need for protection, but they expect effective and efficient execution across the business.
Most current CISOs seem to miss that last point: They appear to focus their communication towards senior execs on “what” needs to be done; the aspects related to “how” it would be executed being relentlessly reduced to matters of headcount and investment.
This is a big mistake, in my opinion: To start creating different dynamics, you need to accept that cybersecurity – i.e. the protection of the business from cyber threats – cannot be reduced to its mere technical dimension: To be effective and efficient, it needs to reach across corporate silos, into business and support functions as well as IT, and increasingly across a more and more diverse and digital supply chain.
For many firms, it is a cultural transformation that is required, not just the implementation of some new tools.
Putting in place the right governance structure to achieve that in large firms, requires management finesse, personal gravitas, and fundamentally a degree of trust from other executives, something too few current CISOs have developed over the past two decades.
Those imbalances, in my opinion, are what is feeding their discontent: They hop from job to job every other year without never achieving anything truly transformative; firms keep replacing an outgoing CISO by another one coming from the same community, and the problem keeps replicating.
The best way to break such deadlock in my view remains to stop pretending that current CISOs can bridge the existing gaps and split the historical construction of their role between:
It may be hard to achieve currently in some geographies due to regulatory pressure and potential personal liabilities, but it remains a path worth exploring to break the current spiral of failure around cybersecurity.
Click here to join our newsletter for more Cyber Security Leadership insight.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges