Founder & CEO, Corix Partners | Author “The Cybersecurity Leadership Handbook for the CISO and the CEO” | Board Advisor | Non-Exec Director.
The bottom-up approaches most have been pushing for 20 years around cybersecurity have simply failed.
I think it is time to accept that the role of the CISO, in its historical construction, was never born out of a positive and proactive management decision. It was very rarely created—at first—in response to the true realization by senior management of the need to protect the business from real and active threats.
The original iteration of the role, in the nineties for the early adopters, belongs to that first decade of information security, which was entirely dominated by risk and compliance considerations: The Security Transformation Research Foundation (a think tank operated by my company) established this quite clearly through its 2019 semantic analysis of the content of 17 annual global security reports from EY.
Information security was simply seen by senior execs as a constant balancing act between regulatory compliance, risk appetite and—above all—costs.
The role of the CISO appeared in that context at best in response to audit or regulatory observations and, at worst, at their imposition and almost as a necessary evil in some cases.
Bottom-Up Mindset
Of course, the role has evolved since then, but an entire generation of security practitioners has been trapped in a bottom-up mindset, always in search of ways to justify its legitimacy toward the business.
This is amply demonstrated by the endless debate around the CISO’s reporting line, and in particular, the obsession of some with board-level reporting or the evolution of the role in some firms toward IT Risk or information risk constructions attached to a broader enterprise or operational risk function.
Generally, those moves, all well-intentioned and aimed at broadening the acceptance of necessary security measures across the firm, have rarely worked to a full extent.
Over two decades, those bottom-up approaches have collided with endemic corporate short-termism and dysfunctional corporate governance practices and have failed to deliver essential levels of good practice and to protect against constantly evolving threats, as demonstrated by the endless string of cyber-attacks we are witnessing today.
All this has left many CISOs frustrated and is fuelling their short tenure, short tenure which—by itself—has become the root cause of the long-term stagnation of cybersecurity maturity in many firms.
A Matter Of “When,” Not “If”
But now, in addition, the agenda is shifting at board level. Cyberattacks are increasingly seen as a matter of “when,” not “if,” weakening all lines of discussions that have tried over the years—bottom-up—to talk about cybersecurity in terms of risk and bring it closer to corporate risk practices in a quest for legitimacy.
Risk is about things that may or may not happen; it can be accepted, transferred, mitigated.
The “when-not-if” paradigm around cyberattacks pushes the debate into a different dimension. And many CISOs are not really prepared when the dialogue with top execs shifts overnight from “Why do we need to do this?” to “How much do we need to spend?”
This is no longer about “convincing” them about an alleged “return-on-security-investment,” but about getting things done and getting them done now.
High Turnover
But many CISOs, changing jobs every two years or so, have not learned to get things done in large firms; they have not developed the political acumen and the management experience they would need.
Many have simply remained technologists and firefighters, trapped in an increasingly obsolete mindset, pushing bottom-up a tools-based, risk-based, tech-driven narrative, disconnected from what the board wants to hear, which has now shifted toward resilience and execution.
This is why we may have to come to the point where we have to accept that the construction around the role of the CISO, as it was initiated in the late ’90s, has served its purpose and needs to evolve.
A New Approach
The first step in this evolution, in my opinion, is for the board to own cybersecurity as a business problem, not as a technology problem.
It needs to be owned at board level in business terms, in line with the way other topics are owned at board level. This is about thinking about the protection of the business in business terms, not in technology terms.
Cybersecurity is not a purely technological matter; it has never been and cannot be. The successful protection of the business from cyber threats requires reaching across corporate silos, including IT, of course, but also business and support functions and geographies.
There may be a need to amalgamate it with other matters, such as corporate resilience, business continuity or data privacy, to build up a suitable board-level portfolio, but for me, this is the way forward in reversing the long-term dynamics, away from the failed historical bottom-up constructions, toward a progressive top-down approach.
I refute the idea that board members would not have the necessary skills to drive a meaningful top-down engagement around a subject as specific as cybersecurity. To me, this is just a remnant and the last line of defense of the tech-focused bottom-up spirit that has been dominating for over two decades.
Board members may not have the skills to drive a top-down engagement in the way bottom-up engagements have been framed for the past 20 years, but that doesn’t mean that they would not be able to comprehend the matter, owning it and driving it at their level and in their own terms—possibly with some assistance.
The hard reality is that the technology-focused bottom-up approaches many have been pushing for 20 years around cybersecurity have not worked.
It is simply time to try something else.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
