The State of Cybersecurity | Jean-Christophe Gaillard, MD & Founder, Corix Partners
David sits down with Jean-Christophe Gaillard as he reflects on over 20 years of growth in the cybersecurity sector. JC reflects on how the cybersecurity model has changed, from one of risk and compliance to real-life inevitability.
Evolution of Cybersecurity – 00:02:10
It’s amazing how it’s evolved over the last 20 years. When I started 20 years ago, we were not talking about cybersecurity, we are talking about information security. Cyber, cybersecurity have appeared effectively five, six, seven years ago. If I look back 20 years ago when I became a CISO for the first time, the main drivers were all around risk and compliance. Information security was essentially a balancing act between risk appetite, compliance requirement and cost. The CISO was essentially a risk manager, in a context where operational risk practices were still in the process of structuring themselves. That trend of having risk and compliance as the main drivers behind information security dominates the first half of the century, roughly until the financial crisis. Since the financial crisis, in the last ten years, what we’ve seen is totally different. Against the backdrop of the financial crisis, we have seen an unprecedented level of technological change, which has revolutionised many industries and society at large. The cloud, more versatile, more powerful, a variety of mobile devices, a variety of emerging technologies, data in particular – really has powered the digital transformation of many and society. All those things from a cybersecurity perspective have introduced more attack surfaces. We have seen a non-stop stream of cyber attacks, of data breaches. Behind that a greater interest from the media, politicians, regulators. All that has created a context really, for many organisations to start realising that all this is real. This is not about risk or compliance. Risk is about uncertainty, things that may or may not happen. Compliance for many people is a race to the bottom, about doing the bare minimum and putting the right ticks in the right boxes. Many organisations over the last 10 years have realised that those threats are real, that they can target your business, that they do target your business, that they will cause harm – that sense of reality really dominates the last decade.
Increasing Cyber Attacks – 00:05:20
Attacks are more and more targeted, the IoT is 100% part of it, in terms of the increase in the number of attack surfaces and the impact it has had on the perception many industries have of the cyber threats. They’re real, they can target you, they can cause you harm. Many organisaions, many boardrooms, it’s very much the conversation, when, not if, paradigm which dominates. The fact that this is just a matter of time – you will be breached. That changes completely the dynamics around security. This is not about risk, something which may or may not happen, this is about reality, this is about certainty, not uncertainty and it needs a completely different approach to cybersecurity and a completely different mindset about it.
C-suite approach to cybersecurity – 00:06:38
It puts the CIO and CISO under tremendous pressure. In many cases, in many organisations were seeing low cybersecurity maturity levels, we are also seeing very large programmes of change being driven from the board down. It brings a lot of pressure for CISOs because now they need to deliver. That to me is the real challenge the industry has, looking toward the next decade. The security industry has had the tendency for a very long time to talk about things that could go wrong and not enough about how to fix things. Now CIOs and CISOs in many ways, are under tremendous pressure to deliver very large transformative change under the scrutiny of the board, often under the scrutiny of regulars as well, which now have the power to impose business threatening fines if personal data is involved, for GDPR and going forward under a variety of regulations around the world.