Cyber Security: A Look Across Two Decades

The Security industry talks a lot about what could go wrong … but not so much about how to improve things

Research released today by The Security Transformation Research Foundation, ahead of the Cyber Security Leadership Summit in Berlin on 12-14 November 2019, highlights significant trends in the way the language of security has evolved across the last 2 decades.

The foundation analysed the semantics content of 17 annual “Global Information Security Surveys” from leading firm EY, spanning the period 2002-2018.

By looking at the frequency of keyword markers and how those frequencies have evolved over time, the research puts in evidence a clear demarcation between 2 periods.

While across the period up to 2009, the language is clearly dominated by considerations around risk and compliance, those considerations clearly subside during the following decade and are replaced by concerns around threats and incidents.

A language bias analysis also highlights that while the language during the first decade had a clear positive and managerial bias, again the trend changes across the last decade and the language becomes considerably more negative and more technical.

Concerns around the Cloud make a sharp outburst at the junction of the 2 decades and dominate considerations in 2010, 2011 and 2012 then seem to vanish into normality and acceptance.

A sense of realisation seems to dominate the junction between the 2 decades: The realisation that this is no longer JUST about Compliance and Risk, that Tech is changing, threats are real and incidents do impact Business.

The business language in the surveys also sharpens throughout the period, but considerations around execution, people, culture and skills clearly dwindle.

Overall, as the foundation puts it, “the Security industry tends to talk a lot about what could go wrong … but not as much about could be done to fix things”, with keyword markers such as risk, threat, compliance or incident 3.5 times more frequent across all surveys than governance, budget, delivery, priority, culture or skill.

As we look towards the next decade, the industry must pivot towards a clearer execution focus: Security cannot be seen any more JUST as a matter of risk appetite or as a box-checking exercise; equally, constant firefighting is no longer sufficient as the “when not if” paradigm takes root in the boardroom and senior executives demand real results, often in exchange of very significant investments.

Security must become a delivery imperative, and where existing maturity levels are low, the CISO must become a true transformational leader.

Click here to download the full white paper on the Security Transformation Research Foundation website.

The Security Transformation Research Foundation is a dedicated think-tank and research body aimed at approaching Security problems differently and producing innovative and challenging research ideas in the Security, Business Protection, Risk and Controls space.

Jean-Christophe Gaillard

• A senior executive and a team builder motivated by analysing and resolving Security Strategy, Organisation and Governance challenges, and delivering real long-term solutions • A track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation • Over 25 years of experience developed in several global financial institutions in the UK and continental Europe, gaining exposure to all layers of management up to board level • French national permanently established in the UK since 1993; fluent in English, Spanish & French Specialties: Security Strategy, Organisation and Governance ; Security Roadmaps, Target Operating Models and Governance Frameworks ; Business Protection ; Corporate Security ; Information Security ; Cyber Security ; Operational Risk Management

Have Your Say: