Cyber Security maturity stagnates because CISOs are structurally prevented from looking beyond day-to-day firefighting

Jean-Christophe Gaillard Jean-Christophe Gaillard
April 28, 2020 Big Data, Cloud & DevOps

The Tactical Trap

Many CISOs struggle to look beyond day-to-day firefighting and get trapped in tactical games. We highlighted this last year in the context of our “100 Days” series and it is one of the major factors preventing organisations from developing better levels of cyber security maturity. In many firms, this goes beyond incidents and the natural need to address those: It is often compounded by 3 structural elements literally trapping the CISO in tactical games, forcing endemic short tenures and creating the conditions for a systemic spiral of failure around cyber security. First, corporate short-termism, which is still prevalent in many organisations amongst senior executive communities:

“In the long term, we’re all dead” and anything that would not impact the next quarter figures does not grab interest for very long. Cyber security matters are being pushed towards those levels of management by non-stop media reports around data breaches and the potential level of GDPR fines, but when faced by multi-year, 7 or 8 digits transformative programmes of work around security that would genuinely force the firm to alter the way it works, those executives often revert to what they’ve been doing for decades around compliance: Looking for quick-wins and cheap boxes to tick so that they can “show progress” while minimising spend and disruption.

 

The problem with cyber security, is that organisations facing that type of problems are generally in need of a structural overhaul of their security practices, and “quick wins” are often non-existent. Driving real and lasting change takes time. Simply “fixing” illusory quick wins has never been the base of any transformation.

 

 

Second, plain old office politics between IT and Security which have always been a component of the life of many CISOs, irrespective of their reporting line (and this is undoubtedly worse where the CISO does not report to the CIO):

Technologists are trained and incentivised to deliver functionality, not controls, and many, over the past decades, have developed a culture which sees security measures as constraints instead of requirements.

Many CISOs are constantly bombarded by “urgent” requests to define security measures coming from IT people who should know better but are just “passing the buck”. The CISOs often feel that they would fail by not responding, not realising that this is a game they cannot win, and a form of political and emotional blackmail which must be avoided, especially outside large organisations where teams and resources tend to be smaller: The CISO and their team simply cannot be expected to be deep technical security experts on all technology streams and across all platforms, or to “drop everything” at any time to help projects. Of course, they can rely on external skills (budgets permitting), but fundamentally roles, responsibilities and demarcation lines should be clear, and resources placed where they should be: The security of IT systems should be the responsibility of the respective IT teams. The security team should assist, validate and control while retaining a degree of independence. This is the spirit of all organisational models developed over the past 20 years around IT security. It should be clear and the CISO and their boss should have the backbone to enforce it.
Finally, in many cases, the greed of the tech industry, which is only aggravating the situation: For each of those alleged “quick wins” or “urgent” issue to fix, there are countless vendors bidding to sell their stuff to put a tick in that box, irrespective of any bigger picture. This is a pressure the CISO must resist. Over time, this accumulation of point solutions simply leads to a product proliferation problem which makes everything more difficult for the CISO and their team: From incident management to compliance reporting, security operations become burdened by the need to collect data across multiple platforms often in inconsistent formats, resources requirements escalate, and it aggravates the perception that security is just a cost and a pain, instead of a necessary barrier against real and active threats.
The CISO and IT must build the discipline to work with a small number of security vendors and service providers around which they can structure effective and efficient security operations, properly segregated, proportionate to the threats the business is facing and the resources available to fight them. Clarity of roles and responsibilities across Security and IT, and a clear approach putting People and Process first ahead of ready-made Technology solutions, are the basis on which the CISO can avoid the tactical trap. It is also the only basis over which cyber security maturity can grow, across any organisation, large or small.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

    • Jean-Christophe Gaillard

    Tags
    Fraud & Risk
    © 2021, Experfy Inc. All rights reserved.
    Leave a Comment
    Next Post
    Health Informatics Careers Expected to Grow with Digital Health Market Expansion

    Health Informatics Careers Expected to Grow with Digital Health Market Expansion

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2024, Experfy Inc. All rights reserved.