Cyber Security maturity stagnates because CISOs are structurally prevented from looking beyond day-to-day firefighting
The Tactical Trap
Many CISOs struggle to look beyond day-to-day firefighting and get trapped in tactical games. We highlighted this last year in the context of our “100 Days” series and it is one of the major factors preventing organisations from developing better levels of cyber security maturity.
In many firms, this goes beyond incidents and the natural need to address those: It is often compounded by 3 structural elements literally trapping the CISO in tactical games, forcing endemic short tenures and creating the conditions for a systemic spiral of failure around cyber security.
First, corporate short-termism, which is still prevalent in many organisations amongst senior executive communities:
“In the long term, we’re all dead” and anything that would not impact the next quarter figures does not grab interest for very long. Cyber security matters are being pushed towards those levels of management by non-stop media reports around data breaches and the potential level of GDPR fines, but when faced by multi-year, 7 or 8 digits transformative programmes of work around security that would genuinely force the firm to alter the way it works, those executives often revert to what they’ve been doing for decades around compliance: Looking for quick-wins and cheap boxes to tick so that they can “show progress” while minimising spend and disruption.
The problem with cyber security, is that organisations facing that type of problems are generally in need of a structural overhaul of their security practices, and “quick wins” are often non-existent. Driving real and lasting change takes time. Simply “fixing” illusory quick wins has never been the base of any transformation.
Second, plain old office politics between IT and Security which have always been a component of the life of many CISOs, irrespective of their reporting line (and this is undoubtedly worse where the CISO does not report to the CIO):
Technologists are trained and incentivised to deliver functionality, not controls, and many, over the past decades, have developed a culture which sees security measures as constraints instead of requirements.
Many CISOs are constantly bombarded by “urgent” requests to define security measures coming from IT people who should know better but are just “passing the buck”.
The CISOs often feel that they would fail by not responding, not realising that this is a game they cannot win, and a form of political and emotional blackmail which must be avoided, especially outside large organisations where teams and resources tend to be smaller: The CISO and their team simply cannot be expected to be deep technical security experts on all technology streams and across all platforms, or to “drop everything” at any time to help projects.
Of course, they can rely on external skills (budgets permitting), but fundamentally roles, responsibilities and demarcation lines should be clear, and resources placed where they should be: The security of IT systems should be the responsibility of the respective IT teams. The security team should assist, validate and control while retaining a degree of independence. This is the spirit of all organisational models developed over the past 20 years around IT security. It should be clear and the CISO and their boss should have the backbone to enforce it.
Finally, in many cases, the greed of the tech industry, which is only aggravating the situation:
For each of those alleged “quick wins” or “urgent” issue to fix, there are countless vendors bidding to sell their stuff to put a tick in that box, irrespective of any bigger picture.
This is a pressure the CISO must resist. Over time, this accumulation of point solutions simply leads to a product proliferation problem which makes everything more difficult for the CISO and their team: From incident management to compliance reporting, security operations become burdened by the need to collect data across multiple platforms often in inconsistent formats, resources requirements escalate, and it aggravates the perception that security is just a cost and a pain, instead of a necessary barrier against real and active threats.
The CISO and IT must build the discipline to work with a small number of security vendors and service providers around which they can structure effective and efficient security operations, properly segregated, proportionate to the threats the business is facing and the resources available to fight them.
Clarity of roles and responsibilities across Security and IT, and a clear approach putting People and Process first ahead of ready-made Technology solutions, are the basis on which the CISO can avoid the tactical trap. It is also the only basis over which cyber security maturity can grow, across any organisation, large or small.