You Are Not Going to Fix Your Cyber Security Problems by Buying More Tech
For the last 20 years, large organizations have been spending significant amounts of money on cyber-security products and solutions, on managed services, or with consultancies large and small.
Yet maturity levels remain elusive: McKinsey surveyed more than 100 firms in 2021 and found that 70% of their sample “had yet to fully advance to a mature-based approach”. These results are regularly matched by similar reports and also by the anecdotal evidence we can see in the field every day.
Consensus amongst cyber security professionals seems to point towards low maturity levels being a consequence of under-investment in that space.
I have rarely seen that hypothesis thoroughly tested and would argue the problem is broader.
In essence, cyber-security good practices have been well established for the best part of the last 20 years, and to a large extent, continue to provide in most industries an acceptable level of protection against most threats and an acceptable level of compliance against most regulations.
Over a period of time of such duration, security maturity levels should have developed naturally if they had been carried forward and fostered by genuine business protection values.
Clearly, in many organizations, it has not been the case, or not to a sufficient extent.
In 2019, the Security Transformation Research Foundation conducted a large-scale piece of research analysing the semantic content of 17 Annual Global Security Surveys from EY, looking at the frequency of keywords and the evolution of the language used.
The research shows very clearly 2 decades emerging:
- The first decade of this century, dominated by Risk and Compliance considerations: Security being seen mostly as a balancing act between compliance requirements, risk appetite and costs;
- The second decade of this century, dominated by Threats and Incidents considerations: Security becoming a necessary fire-fighting practice against constant attacks, in a context of massive technological change driven by mobile devices and the Cloud.
None of those are positive drivers: The first one is restrictive, and taken to some extreme, has led to some security practices becoming mere box-checking or window-dressing practices; the second one is short-termist and technology-focused.
More importantly, both isolate cyber security from business cycles and business levers.
To me, that’s the heart of the matter, and the main reason why maturity levels have remained low in spite of all investments:
Security was always seen as external to the business, locked in a compliance or a technology niche, where it was also alien (compliance and risk people focus on business aspects; technologists have always been incentivized to deliver on features and performance, not on controls).
This is the cultural cycle which has engineered a chronic problem of talent alienation and adverse prioritization, leading to execution failure around security programmes, the historic reluctance of senior executives to commit to large scale investments, and the continuing avalanche of breaches.
Now, things are changing: The “when-not-if” paradigm around cyber-attacks has taken root in many boardrooms, and the transformational urgency around cyber security practices has been evidenced in many firms by the Covid pandemic and the dependencies it created on digital services.
But it would be a mistake for the Board to continue to believe that this is a mere technological problem that is going to be solved just by adding more layers of technology solutions (zero-trust, MFA, AI or whatever it might be).
Key here is to acknowledge the cultural and governance context in which the historic under-achievement of many firms around cyber security is rooted.
For genuine and lasting change to take place, cyber security now needs to be visibly linked to business values from the Board down.
It means cyber security ownership being visibly and credibly established at Board level, and cyber security objectives being visibly and credibly driven from there, injecting raw business talent into the mix by showcasing that success as a cyber security transformation agent can be a career accelerator, and that those roles for the talent should not be seen as a dead-end or a second best.
For firms genuinely trying to break away from 2 decades of failure around cyber security, talent and governance have to be the real levers, not technology.