Founder and Director, Corix partners | Top Thought Leader in Cyber Security on Thinkers360 | Author | Blogger | council advisor.
I think it’s time we got back to basics with most of our cybersecurity commentary. After rereading some articles I wrote years ago, I’m worried I’d barely change a word in a 2016 piece titled “Cybersecurity: When True Innovation Is Doing Now What You Should Have Done Ten Years Ago.” .”
Sometimes I wonder if some cybersecurity experts, journalists, or tech salespeople live in a parallel universe. They want you to believe that quantum computing and its impact on current cryptography or cybersecurity in the metaverse should be on every CISO’s agenda, and that zero-trust (or whatever technology they sell) will solve all of the industry’s problems. , that all problems invariably stem from a lack of ‘user awareness’ and that all solutions can only consist of buying new tech tools (obviously the ones they sell or represent).
Meanwhile, I’ve noticed that CISOs and other field workers are grappling with a different reality:
• HR departments are often unwilling to accept a role in entrants and departures processes or pretend not to handle sensitive personal data.
• IT departments still fail to deploy patches or build a unified CMDB across their business, despite 15 years of investment in those areas.
• Legal departments may treat data privacy compliance as a matter of regulatory risk.
Go back to base.
I think it’s time we go back to basics with most of our cybersecurity commentary and refocus on a few key points:
Ownership of the business is key. It’s no longer about “driving” the CISO in front of the council every year or every time something happens somewhere. This is about the board having cybersecurity as a board-level topic and treating it as a board-level topic, not something to delegate down because it’s “too technical”.
Cybersecurity is not the responsibility of the security team. Identify key stakeholders in business units, regions and support functions, and make them accountable for the adequate handling of cybersecurity issues at their level, as part of a structured business model, overseen by a board member.
This is no longer a matter of throwing money at trouble. Buying more technology and focusing only on operations is unlikely to help companies where cybersecurity maturity has remained low over the decades despite all the investment in that space.
Two aspects are important to recognize:
1. Cybersecurity didn’t show up with the Covid-19 crisis or the ransomware epidemic, and doing the basics right can still provide a good level of threat protection and a good level of regulatory compliance.
2. Large organizations have collectively spent billions over the years with security vendors and consultants, and without identifying where the roadblocks have been in the past that prevented these investments from realizing, nothing is likely to change.
Looking at the subject through that prism, senior executives will invariably move toward governance and cultural affairs: endemic short-termism leading to unfavorable prioritization of security issues, organizational inability to see beyond perceived “quick wins,” endless merry-go-rounds from cybersecurity leaders, and so on.
Facing the reality of cybersecurity takes time and commitment.
Real and lasting change takes time and an unwavering drive, and many large organizations struggle with long-term focus, especially with complex and cross-cutting issues like cybersecurity. Nevertheless, I have found that this spiral of failure can only be broken top-down, by pragmatic senior executives who are willing to face the reality of their problems in that space, without listening to the hype and the sirens of the tech world. .
Cybersecurity problems can only be solved in the real world, not in the parallel universe of tech vendors.