Cybersecurity: The Key Ingredient is Trust, not Money
Where trust is present between CISOs and top executives, justifying investments is rarely a problem.
?
This interesting piece caught my eye on social media and deserves some commentary (5 Key Questions CISOs Must Ask Themselves About Their Cybersecurity Strategy, The Hacker News, 8 July 2024).
I think the list of 5 questions is broadly valid and the article accurately reflects the challenges faced by many CISOs:
But what is most interesting to me in this list, is the order in which the questions are raised, and the way it seems to imply some form of priority for the CISO.
In many ways, in these columns, we have been encouraging CISOs for years to build their practice in a manner that would almost approach this list from the bottom up.
Focusing on what matters most should be the starting point for CISOs: This is not just about prioritising activities and balancing resources between project work, operational tasks and the unavoidable firefighting of incidents. This is about the CISO having a clear mid to long-term vision of where their practice needs to go in terms of maturity development, as well as meeting the business needs.
For example, over the past few years, we have firmly advocated that decluttering the cybersecurity toolkit landscape should be a key dimension for many CISOs, in order to rationalise operational processes, improve analyst efficiency (and retention rate), and keeping costs under control, (instead of always asking for more resources just to prop-up legacy practices).
This is one of the engines we have been highlighting to break the endemic “spiral of failure” around cybersecurity, and it should be one on which most CISOs should have a degree of influence or control.
Collaborating with other teams and celebrating achievements should be natural to any CISO, but I agree that for many, stuck in firefighting mode or in an impossible role, it is probably something that has been neglected and needs to be reinforced.
Afterall, cybersecurity is – and has always been – intrinsically a cross-silo matter and celebrating achievements with your team is just good management.
But again, all this should stem naturally from a clear vision, focused on key, achievable, mid to long-term objectives involving all parts of the business.
Cross-silo collaboration and selling success against the delivery of a clear roadmap should be the blueprint against which the CISO establishes trust with other stakeholders across the firm.
Trust is key in all this, and it can only come from clarity of vision and reliable execution against that vision.
Reporting to top executives is of course essential, and also a key dimension to selling success, but I feel this is less and less about risk, as we have been saying repeatedly in these columns.
As the “when-not-if” paradigm takes root in the Boardroom, business leaders expect to be given assurance that the firm is reasonably protected from the unavoidable breaches and would often commit to sizeable investments if given confidence that the cybersecurity structure in place across the firm is capable of delivering on those.
Which takes us to the budget justification question: It will sound counter-intuitive to many CISOs but to me this is almost the least relevant.
The key ingredient in all this is trust, not money. And trust is built out of execution excellence and successful cross-silo collaboration.
In my experience, where trust is present between CISOs and top executives, justifying investments is rarely a problem.
So my message to CISOs is simple: Build a sound vision for your practice, and start from the bottom of the list: The rest will follow.
Click here to join our newsletter for more Cyber Security Leadership insight.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges