{"id":10757,"date":"2020-10-28T10:00:04","date_gmt":"2020-10-28T10:00:04","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/?p=10757"},"modified":"2023-10-16T16:06:59","modified_gmt":"2023-10-16T16:06:59","slug":"cyber-security-culture-of-alienation","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/cyber-security-culture-of-alienation\/","title":{"rendered":"Cyber Security and the Culture of Alienation"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Empirical, bottom-up and organically developed cyber security functions need to evolve<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The 2020 Information Security Maturity Report<\/a> from ClubCISO makes interesting reading.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

It compiles responses from 100 of their members to a questionnaire sent in March 2020, around the time of the COVID-19 lockdown decision in the UK. Comparing results year or year is not entirely meaningful for such surveys, in absence of any form of data normalisation (you have no guarantee that the panel responding is the same year on year); yet some interesting patterns emerge.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The typical respondent is a CISO working for a mid-size or large organisation (82% have more than 500 staff), headquartered in the UK or Ireland (75%), and has spent more than 10 years in the Infosec industry (69%); 60% have been in their present role for less than 2 years.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The typical respondent is a CISO working for a mid-size or large organisation (82% have more than 500 staff), headquartered in the UK or Ireland (75%), and has spent more than 10 years in the Infosec industry (69%); 60% have been in their present role for less than 2 years.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom up, disconnected from the dynamics of the business: When asked which concerns most affect their ability to deliver against objectives, 49% mention the culture of the organisation (as if they were not part of it), 36%, the speed of business change (as if it was happening all around them but without them), 33%, the level of board support (although in response to another question, 58% say they would like to report to board level\u2026).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

It would be fascinating to ask some of the questions to the direct bosses of the respondents and compare results.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Of course, in such context of alienation from the business, budgets are hard to get by for CISOs (41% mention budgets as a main concern and 57% mention insufficient staff), frustration builds up and leads to attrition: When asked why they left their last role, 47% of respondents mention \u201cnot seeing eye to eye with senior leadership\u201d (!), not having sufficient resources to make their role a success (in their view of course), or frustration with their organisation\u2019s approach to security.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

But another shocking fact is that 89% of respondents say they don\u2019t have a security operating model in place (82% say they are working on one at varying degrees). This element alone puts the rest of the survey into perspective: In absence of a structured framework to work against, most cyber security practices can only operate \u201cas they go along\u201d, in project mode or in firefighting mode: How can you justify budgets, attract or retain talent without a referential to work against , and in absence of a clear governance model, roles, responsibilities and \u2013 to a degree \u2013 clear career paths?<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

And again, how can you claim you do not have enough staff in absence of a target operating model, detailing tasks and the resources required to deliver those tasks? It can only be a finger-in-the-air exercise; the very kind any half-decent CFO would smell miles away.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This kind of empirical, bottom-up and organically developed cyber security function does not work and needs to evolve.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What is required is structure, business acumen and top-down engagement.<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The emphasis on security culture throughout the report is valuable and meaningful, but it cannot be the only axis of action for the CISO: Security awareness has always been a low hanging fruit, and an easy sell for CISOs, when they cannot find other levers. You can\u2019t go very wrong by distributing mouse mats and leaflets, and it does not cost the world. But this is not what culture change is about. And there cannot be any culture change<\/a> that does not come top-down.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The culture of alienation many CISOs have developed is probably comfortable for some; there is always someone to blame (\u201cthe business\u201d) and another juicy job to move into afterwards.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

But it does not help organisations, and society at large.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

To break this spiral of failure, the profile of the CISO needs to evolve<\/a> and the board needs to take ownership.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This is no longer just about tech \u2013 if it ever was. This is about protecting the business against cyber-attacks which have now become a matter of \u201cwhen, not if<\/a>\u201d. This is no longer something you can push down in the organisation.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

If the board does not see the need \u2013 or does not feel qualified \u2013 to step in, nothing will never change for good around cyber security because it has simply become too complex and too transversal. Bottom-up approaches will continue to pour cash down the drain and CISOs will continue to leave every other year out of frustration. And breaches will continue to happen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

If the board wants to set directions, they should drive <\/a>: Appoint someone they trust and can talk to (it does not have to be a technologist<\/a>), and empower that person to build or rebuild cyber security practices across the firm, in the light of what the board wants and expects.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The COVID crisis<\/a> is presenting most organisations with unprecedented situations, but it does not make cyber security less of a priority. On the contrary, cyber security \u2013 whether it is in support of remote working, e-commerce or digitalised supply chains \u2013 will be a pillar of the \u201cnew normal\u201d.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Now is the time to deal with it strategically<\/a>, and from the top down.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

The picture of CISO roles and security practices still operating bottom up, disconnected from the dynamics of the business. Culture of the organisation, the speed of business change, and the level of board support are the concerns that most affect CISOs ability to deliver against objectives.<\/p>\n","protected":false},"author":529,"featured_media":10758,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[871,870,867,869,868],"ppma_author":[3178],"class_list":["post-10757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-board-support","tag-business-change","tag-ciso-roles","tag-organisation-culture","tag-security-practices"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=10757"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10757\/revisions"}],"predecessor-version":[{"id":33469,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/10757\/revisions\/33469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/10758"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=10757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=10757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=10757"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=10757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}