Simply throwing money at the problem is rarely the answer
Many CIOs and CISOs would have come across this situation after an incident, a serious near-miss or a bad audit report: Suddenly, money and resources – which were previously scarce – appear out of nowhere, priorities shift, and senior executives demand urgent action around cyber security.
It is probably the dream of many CISOs to inherit one day such transformational challenge where money is – apparently – no object. In practice, however, it can also be a curse if you fail to deliver.
What are the key factors in driving successful transformation around cyber security?
Setting the right timeframes
First, the CISO must assess without complacency the true nature of the transformation required, the depth of commitment of senior management, and the timeframes which would be required to deliver real and lasting change – independently of stakeholders expectations.
This is the first area where the CISO will need to manage expectations with senior executives. Change takes “the time it takes”, in particular where culture and behaviours are involved, and some aspects associated with cyber security transformation could be complex, disturb existing business practices and lead to substantial projects (for example around Identity and Access Management or Data Leak Prevention).
In our experience, the complete top-down re-engineering of an entire security practice can take up to 3 to 5 years in any large organisation. Nobody can be expected to achieve anything significant in 6 months to a year if initial maturity levels are very low; 2 years may not be enough either.
The first management challenge of the CISO is to get senior stakeholders to understand that fact. This is about a real commitment to change at least as much as it is about resources, and the ability to think strategically over the mid- to long-term. Not all senior executives or board members are capable of doing that. The CISO will have to find the right allies and use their influence to get the message across.
Merely “fixing” illusory quick-wins never amounts to lasting transformation.
The realisation of the timeframes involved will be rooted in the appreciation by senior management of the tasks involved, and such appreciation needs to be backed against a sound and meaningful assessment of the starting point.
From there, a transformative vision and roadmap can be drawn looking towards the right horizon.
Focusing on clear transformative themes and explicit goals
In situations where the organisation needs to face fundamental change around cyber security, it will be essential to set clear and simple objectives to all parties.
Trying to fix everything at the same time, irrespective of interdependencies and the inherent complexity of some issues, and possibly over unrealistic timeframes, will simply lead to confusion and failure.
Instead, the CISO should start by assessing dependencies between the various parts of the transformative roadmap and group action around broad themes which in turn will focus priorities and investments.
Those themes should be clear, simple to articulate, and structured around explicit goals and milestones.
Delivering through an empowered senior team
Although there will be projects involved in delivering the transformative roadmap, the ultimate objective is to create a sustainable, self-standing transformed security practice. To this end, the re-engineering of their team needs to be the first task for the CISO so that transformation can be delivered through the reshaped team and not only through contingent project resources and consultants.
Defining the right team structure, operating and governance model should be top-priority for the CISO, involving all relevant stakeholders across IT, business and support functions, and also involving all relevant geographies and third-parties.
Staffing the new team should follow and start top-down, so that the CISO can delegate the transformative burden to empowered senior direct reports. This layer of management once established will take on the duties to staff the rest of their teams and to deliver explicit parts of the transformative roadmap. Finding those people – internally or externally – in the current recruitment market could be tough and take time, so starting as early as possible on this phase should be key for the CISO.
From there, the delivery of the transformative roadmap can start, but it will be equally crucial for the CISO to ensure that all key personnel are incentivised to stay the course, as there might be rough waters ahead.
Sticking to the plan
Establishing realistic timeframes, setting clear goals and finding the right people to drive the transformative efforts through a structured team are key. In parallel, the CISO should continue to get all parties on board behind the right transformative roadmap. This phase could easily take up to 6 months, but it is essential to long-term success.
There may be quick-wins, or there may not be. The CISO must resist inventing some where there are none and must also avoid knee-jerk reactions which may only damage the long-term case.
One thing this is NOT about is implementing more tech; at least not upfront.
There is no magical technology platform or service provider which can be – on its own – the answer to a fundamental transformative challenge around cyber security.
Technology will – of course – have a role to play in the transformative effort in most organisations, but the CISO and their team must come to that in due course, and in the right context, set in the right transformative vision, roadmap and operating model. Jumping at tech solutions and tech vendors upfront cannot be the first thing to do.
The overarching challenge for the CISO behind all this lies in getting senior management to see that long-term change is rooted in a long-term vision and long-term planning which takes time to establish.
It may be a hard sell in absence of tactical quick-wins, and a lot will rest on the trust between the CISO and their boss, as well as the personal profile, managerial experience and political acumen of the CISO.
Given the complexities involved, which are not just technical, but also often rooted in culture and governance, delivering lasting change will always require a structured approach and relentless drive to succeed.
Simply throwing money at the problem in the hope of making it disappear, without a proper consideration of those matters simply leads to failure and can only aggravate the perception by senior stakeholders that security is just a cost and a burden.