The CISO and the Business

Keep appointing pure technologists in CISO roles and you’ll never win. The Wannacry ransomware attack that affected so many large firms in May 2017 led to a number of animated discussions amongst InfoSec communities.      

The corrective patch (fixing the vulnerability targeted by the malware) was out since March for supported systems and many firms were badly hit because of their reliance on the unsupported Windows XP (which reached end of life in 2014).

The timely deployment of security patches has been regarded as a fundamental security good practice since the CodeRed, Slammer and Blaster virus outbreaks over 10 years ago, so how can it be that so many large firms are still struggling with this today?

It cannot be just a matter of security investment: Many of the firms reportedly affected by the outbreak would have had fully functioning security practices all that time and would have been spending millions every year on security products.

It has to be a plain matter of adverse prioritisation of security issues by IT and business leaders.

Which brings under the spotlights the role and profile of the CISO in those firms. Surely it would have been the CISO’s job to ensure that those matters remain on the agenda of the right leaders, to communicate their urgency, to drive remedial programmes, and to keep hammering at it until it gets fixed.

What is the security community doing wrong, if it is collectively unable to address a technical issue such as the timely deployment of security patches, over a period of time spanning more than a decade?

One reason that is often put forward by security technologists refers to a language disconnect between the CISO and the Business. Somehow, CISOs are not being heard by business leaders and would need to learn to “speak the language of the business”. Such assertion – in itself – raises concerns about the actual profile of the CISO if there are question marks over their ability to rise above mere technological arguments and present them in a language a non-specialist would understand.

Of course, many CISOs are technologists by background; and frankly, security has rarely been seen as a pathway to the top in IT circles, so very often the CISO is either in that job because of a personal interest in the technical aspects of the topic … or because there was little else for them to do.

To break the spiral that has led to the past “lost decade” on cyber security matters, you urgently need to inject talent into the security industry.

It is primarily managerial excellence that is missing and it will have to be attracted by rewarding the right skills at the right level. It is also a matter of cultural transformationfor many firms, because it is about changing the value scale on which security is being judged.

To attract the best leaders, Security – i.e. the protection of a firm’s assets – has to be seen from the Board down as something fundamental that the firm values and rewards. Not as something you can compromise on to maximise profits, or imposed upon you arbitrarily by regulators.

And if you want your CISO to “talk the language of the business”, you could start by appointing someone from the business!!! … or at least an IT leader who is not a mere technology hobbyist and has a true transversal view of your business.

New Call-to-action

A lot of this is about context:

If you present the patch deployment issue as an IT issue, you will be heard by your business in an IT context and prioritised against other IT topics.

If you present it as a matter of fundamental protection against real and active threats, you will be engaging at a different level. But as a CISO, you will need the right voice, the right gravitas, the right profile in the firm to be heard. This is not only a rational argument. You’ll have to use every fact you can find, and always focus your communication with other business leaders on those facts and on the reality of the threats. You’ll have to pick your battles and strike at the right time to convince the right people. You’ll have to break the “bias of imaginability” – theorised by Kahneman – and it will take time. This is a very serious management role that requires a truly senior profile and a considerable amount of experience. And the willingness to stay on for the right course, and that could be considerably more than a mere couple of years.

Keep appointing pure technologists in CISO roles and you’ll never win. The protection of the information the firm needs to function is not a mere technology matter, contrary to what many tech vendors would like you to believe. It has a profound cultural dimension that is at the heart of the relationship between the firm and its employees: You protect naturally what you care about. If your CISO embodies that relation, everything they do will carry that weight and you’ll move forward.

Arrange a Conversation 

Profile Picture
by JC GAILLARD
Corix Partners

A senior executive and alternative thinker motivated by analysing and resolving Cyber Security Strategy, Organisation and Governance challenges

Browse

Article by channel:

Search

Everything you need to know about Digital Transformation

Read more articles tagged: Cyber Security, Featured

Cyber Security

Popular Now

The Case For Digital Transformation
An Executive Summary: Leading Digital by George Westerman, Didier Bonnet & Andrew McAfee
The Case For Digital Transformation
The Digital Transformation Pyramid: A Business-driven Approach for Corporate Initiatives
Strategy & Innovation
Target Operating Models & Roadmaps for Change
Delivery
Data Asset Management (DAM)
Strategy & Innovation
The Innovation Management Theory Evolution Map

Related Articles

Customer Engagement
Three Lessons from the 2016 Global Retail Shopping Season
Cyber Security
The impossible role of the CISO
Strategy & Innovation
Beyond the Business Model Canvas
© Copyright The Digital Transformation People 2018