No longer just as an equation between risk appetite, compliance requirements and costs
The “When-Not-If” paradigm around cyber-attacks is changing the deal completely around cyber security.
Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it.
This realisation changes fundamentally the dynamics around cyber security.
Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk (difficult to measure and quantify) was always some form of adjustment variable.
Risk is about uncertainty. The “When-Not-If” paradigm brings certainty where doubt was previously allowed (or used to manipulate outcomes):
- Cyber-attacks WILL happen
- Sooner or later, regulators WILL step in
- They can now impose BUSINESS-THREATENING fines around the mishandling of personal data
- Media interest has never been higher around those matters: Business reputation and trust in a brand WILL be damaged by high-profile incidents
All the risk-based constructions which have been the foundations of many cyber security management practices are weakened as a result.
Compliance requirements remain (if anything, they are getting stronger as privacy regulators flex their muscles in Europe and the US) and costs cannot be ignored, but “are we spending enough?” has become a much more common question across the boardroom table, than “why do we need to spend so much?”
For CISOs, protecting the firm becomes an imperative: This is no longer about doing the minimum required to put the right ticks in compliance boxes, but very often a matter of genuine transformation: It forces them to work across corporate silos, look beyond the mere technology horizon (which is often their comfort zone), and also look beyond tactical firefighting (which often dominates their day-to-day).
Knowing what to do is often the easiest part: After all, good practices in the cyber security space have been well known for over a decade, and they still provide adequate protection against many threats – as long as they are properly implemented.
True cyber resilience can only come from real defence in depth, acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically.
The “When-Not-If” paradigm will often bring the Board’s attention and large resources onto cyber security, but with those will also come scrutiny and expectations: The challenge really becomes an execution and a leadership challenge for the CISO.
In large firms where a major overhaul of security practices is required, establishing a sound governance framework and operating model from the start will always be a key factor of long-term success for the CISO.
Equally important will be the need to put people and process first, and to identify the roadblocks which might have prevented progress in the past around cyber security matters.
Repeating the mistakes of the past would simply perpetuate the spiral of failure around security, as would an excessive or premature focus on tech solutions. There is no magical technology product which can fix in a few months what is rooted in decades of adverse prioritization, lip service and under investment.
The CISO must appreciate that and place all transformation efforts in the right perspective: Change takes time and relentless drive, and there may not be quick wins.
Managing expectations and staying the course will always be key pillars of any lasting cyber security transformation.