It’s about time we go back to basics with most of our cyber security commentaries
Re-reading some articles I wrote years ago, it worries me that I would hardly change a word in this 2016 piece (“Cyber Security: When True Innovation Consists of Doing Now What You Should Have Done Ten Years Ago”)
Sometimes I wonder if some cyber security experts, journalists or tech vendors live in a parallel universe.
They would have you believe that quantum computing and its impact on current cryptography, or cyber security in the metaverse should be on the agenda of any CISO, and that zero-trust (or whatever tech they sell) will solve all the problems of the industry; that all problems come invariably from a lack of “user awareness”, and that all solutions can only involve buying new technical tools (the ones the sell or represent, obviously).
Meanwhile, CISOs and other field practitioners struggle with a different reality:
- HR departments unwilling to accept a role in joiners and leavers processes, or pretending they do not handle sensitive personal data;
- IT departments still failing at patch deployment or at building a unified CMDB across their estate in spite of 15 years of investments in those areas;
- Legal departments treating compliance around data privacy as a matter of regulatory risk.
It’s about time we go back to basics with most of our cyber security commentaries and refocus attention on a few key points:
Ownership of the matter is key: This is no longer about “wheeling in” the CISO in front of the Board every year, or every time something happens somewhere. This is about the Board owning cyber security as a Board-level topic, and handling it as a Board-level topic, not as something you delegate down because it is “too technical”.
Cyber security is not the responsibility of the security team. Key stakeholders have to be identified across business units, geographies and support functions and made accountable for the adequate handling of cyber security matters at their level, as part of a structured operating model, under the supervision of a Board member.
This is no longer just a matter of throwing money at the problems: Buying more tech and focusing only on operational matters is not likely to help with those, where cyber security maturity has remained low over the past decades in spite of all investments in that space.
Two aspects are key to acknowledge:
- Cyber security didn’t appear with the Covid crisis or the ransomware epidemic, and doing the basics right still provide a good degree of protection against most threats and a good degree of compliance against most regulations.
- Large organisations have been spending billions collectively with security vendors and consultants over the years, and without identifying where the roadblocks have been in the past which have prevented those investments to come to fruition, nothing will change.
Looking at the topic through that prism will invariably take senior executives towards governance and cultural matters: Endemic short-termism leading to adverse prioritisation of security matters, incapacity of the organisation to look beyond alleged “quick wins”, endless merry-go-round of cybersecurity leaders…
Real and lasting change takes time and relentless drive, and many large organisations struggle with long-term focus, in particular with complex and transversal matters such as cyber security.
Nevertheless, this spiral of failure can only be broken top-down, by pragmatic senior executives willing to confront the field reality of their problems in that space, without listening to the hype and the sirens of the tech world.
Cyber security problems can only be resolved in the real world, not in the parallel universe of tech vendors.