The security industry needs to pivot away from “talking about things” onto “getting things done”
The World Economic Forum’s “Cyber Security Guide for Leaders in Today’s Digital World” (WEF – October 2019) makes interesting reading, but frankly does it move the needle?
It does provide a solid and up to date summary on cyber security good practices and rightly puts a strong emphasis on the cultural aspects and the importance of trust.
It acknowledges the execution failure around cyber security (“current approaches make it difficult to implement comprehensive best practices across the full extent of the digital and operating environments in organizations”) which is at the heart of what we have been calling the “lost decade”, as well as the product proliferation problem which is plaguing the industry as a whole – and the lives of many CISOs and their teams (“although organizations have many tools in place (…), the tools often cannot be used in concert”).
It also acknowledges the transversal nature of security matters, and the pressing need for the CISO and their teams to work across corporate silos, with support functions, business units, business partners and suppliers, and to build trust with each of those.
But in essence, it says very little around how to get things done, and that’s the crux of the matter.
Many of those issues have been on the table for years. Some of the best practices pushed by the report – around inventories, patching, identity, continuity or crisis management for example – would have been included in similar reports 10 years ago.
So the real question is still very much: Why are so many large organizations still struggling with those? And how to remove the roadblocks which have prevented them from making progress over such a long period of time, in spite of colossal investments?
We wrote on this very matter for the first time in 2015, echoeing an article from McKinsey (“Repelling the Cyber Attackers” – July 2015) and an earlier WEF report, also co-authored with McKinsey (“Risk and Responsibility in a Hyperconnected World” – January 2014).
The 2019 report makes the right diagnostic around execution as we pointed out above but overlooks significantly the real challenges involved in getting things right, and their real underlying governance and human dimension.
The security industry needs to pivot away from “talking about things” and why they go wrong, onto “getting things done” and fixing things. This is not a problem which has – or can have – a purely technological solution.
Leadership and the profile of the leaders – NOT TECHNOLOGY – are at the heart of the execution paradigm around cyber security in today’s digital world.
People trust other people, and you need the right leaders to get things done around security, with the right balance of technical understanding, management acumen, personal gravitas and emotional intelligence.
Where do you find such people, in a context where there are hardly any role models around and most CISOs are technologists by background?
To get them out of business roles seems the right approach, but to incentivize the right profiles, security roles have to be elevated to attract and retain the best. And to that effect, organizations and governance models have to evolve, as we pointed out in 2018.
A clear and solid governance model established upfront is key to driving any type of large scale security transformation programme, and old clichés such as “cyber security (being) everyone’s responsibility in an organization” are totally meaningless in absence of clear roles and responsibilities, reflected in job descriptions and pegged to annual objectives and compensation schemes, at all levels up to the Board.
Those are the real challenges in today’s digital world, as the focus shifts for senior executives, away from risk and compliance considerations towards the real execution and delivery of protective measures.
For too long, the security industry has been talking about what goes wrong without focusing enough on making sure that protective measures are in place. This is actually reflected directly – and quantitatively – in our 2019 semantics analysis of 17 annual “Global Information Security Surveys” from EY spanning a period from 2002 to 2019, with keyword markers such as “risk”, “threat”, “compliance” or “incident” 3.5 times more frequent across all surveys than words like “governance”, “budget”, “delivery”, “priority”, “culture” or “skill”.
Threats evolve constantly, but old and well-established security basics do go a long way to ensure protection in many firms: In the face of escalating cyber-attacks and increasing regulatory pressure, the challenges around cyber security are no longer about knowing what to do, but to get it done, and to get it done now and for good.