Empirical, bottom-up and organically developed cyber security functions need to evolve
The 2020 Information Security Maturity Report from ClubCISO makes interesting reading.
It compiles responses from 100 of their members to a questionnaire sent in March 2020, around the time of the COVID-19 lockdown decision in the UK. Comparing results year or year is not entirely meaningful for such surveys, in absence of any form of data normalisation (you have no guarantee that the panel responding is the same year on year); yet some interesting patterns emerge.
The typical respondent is a CISO working for a mid-size or large organisation (82% have more than 500 staff), headquartered in the UK or Ireland (75%), and has spent more than 10 years in the Infosec industry (69%); 60% have been in their present role for less than 2 years.
Collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom up, disconnected from the dynamics of the business: When asked which concerns most affect their ability to deliver against objectives, 49% mention the culture of the organisation (as if they were not part of it), 36%, the speed of business change (as if it was happening all around them but without them), 33%, the level of board support (although in response to another question, 58% say they would like to report to board level…).
It would be fascinating to ask some of the questions to the direct bosses of the respondents and compare results.
Of course, in such context of alienation from the business, budgets are hard to get by for CISOs (41% mention budgets as a main concern and 57% mention insufficient staff), frustration builds up and leads to attrition: When asked why they left their last role, 47% of respondents mention “not seeing eye to eye with senior leadership” (!), not having sufficient resources to make their role a success (in their view of course), or frustration with their organisation’s approach to security.
But another shocking fact is that 89% of respondents say they don’t have a security operating model in place (82% say they are working on one at varying degrees). This element alone puts the rest of the survey into perspective: In absence of a structured framework to work against, most cyber security practices can only operate “as they go along”, in project mode or in firefighting mode: How can you justify budgets, attract or retain talent without a referential to work against , and in absence of a clear governance model, roles, responsibilities and – to a degree – clear career paths?
And again, how can you claim you do not have enough staff in absence of a target operating model, detailing tasks and the resources required to deliver those tasks? It can only be a finger-in-the-air exercise; the very kind any half-decent CFO would smell miles away.
This kind of empirical, bottom-up and organically developed cyber security function does not work and needs to evolve.
What is required is structure, business acumen and top-down engagement.
The emphasis on security culture throughout the report is valuable and meaningful, but it cannot be the only axis of action for the CISO: Security awareness has always been a low hanging fruit, and an easy sell for CISOs, when they cannot find other levers. You can’t go very wrong by distributing mouse mats and leaflets, and it does not cost the world. But this is not what culture change is about. And there cannot be any culture change that does not come top-down.
The culture of alienation many CISOs have developed is probably comfortable for some; there is always someone to blame (“the business”) and another juicy job to move into afterwards.
But it does not help organisations, and society at large.
To break this spiral of failure, the profile of the CISO needs to evolve and the board needs to take ownership.
This is no longer just about tech – if it ever was. This is about protecting the business against cyber-attacks which have now become a matter of “when, not if”. This is no longer something you can push down in the organisation.
If the board does not see the need – or does not feel qualified – to step in, nothing will never change for good around cyber security because it has simply become too complex and too transversal. Bottom-up approaches will continue to pour cash down the drain and CISOs will continue to leave every other year out of frustration. And breaches will continue to happen.
If the board wants to set directions, they should drive: Appoint someone they trust and can talk to (it does not have to be a technologist), and empower that person to build or rebuild cyber security practices across the firm, in the light of what the board wants and expects.
The COVID crisis is presenting most organisations with unprecedented situations, but it does not make cyber security less of a priority. On the contrary, cyber security – whether it is in support of remote working, e-commerce or digitalised supply chains – will be a pillar of the “new normal”.
Now is the time to deal with it strategically, and from the top down.