{"id":1878,"date":"2019-08-10T03:12:26","date_gmt":"2019-08-10T03:12:26","guid":{"rendered":"http:\/\/kusuaks7\/?p=1483"},"modified":"2024-05-08T19:14:52","modified_gmt":"2024-05-08T19:14:52","slug":"the-4-pillars-of-a-lasting-cyber-security-transformation","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/the-4-pillars-of-a-lasting-cyber-security-transformation\/","title":{"rendered":"The 4 Pillars of a Lasting Cyber Security Transformation"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Simply throwing money at the problem is rarely the answer<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany CIOs and CISOs would have come across this situation after an incident, a serious near-miss or a bad audit report: Suddenly, money and resources \u2013 which were previously scarce \u2013 appear out of nowhere, priorities shift, and senior executives demand urgent action around cyber security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt is probably the dream of many CISOs to inherit one day such transformational challenge where money is \u2013 apparently \u2013 no object. In practice, however, it can also be a curse if you fail to deliver.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhat are the key factors in driving successful transformation around cyber security?\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Setting the right timeframes<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFirst, the CISO must assess without complacency the true nature of the transformation required, the depth of commitment of senior management, and the timeframes which would be required to deliver real and lasting change \u2013 independently of stakeholders expectations.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis is the first area where the CISO will need to manage expectations with senior executives. Change takes \u201cthe time it takes\u201d, in particular where culture and behaviours are involved, and some aspects associated with cyber security transformation could be complex, disturb existing business practices and lead to substantial projects (for example around Identity and Access Management or Data Leak Prevention).\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn our experience, the complete top-down re-engineering of an entire security practice can take up to 3 to 5 years in any large organisation. Nobody can be expected to achieve anything significant in 6 months to a year if initial maturity levels are very low; 2 years may not be enough either.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe first management challenge of the CISO is to get senior stakeholders to understand that fact. This is about a real commitment to change at least as much as it is about resources, and the ability to think strategically over the mid- to long-term. Not all senior executives or board members are capable of doing that. The CISO will have to find the right allies and use their influence to get the message across.\n
Merely \u201cfixing\u201d illusory quick-wins never amounts to lasting transformation.<\/strong><\/em><\/blockquote>\nThe realisation of the timeframes involved will be rooted in the appreciation by senior management of the tasks involved, and such appreciation needs to be backed against a sound and meaningful assessment of the starting point.\nFrom there, a transformative vision and roadmap can be drawn looking towards the right horizon.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Focusing on clear transformative themes and explicit goals<\/h3><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn situations where the organisation needs to face fundamental change around cyber security, it will be essential to set clear and simple objectives to all parties.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tTrying to fix everything at the same time, irrespective of interdependencies and the inherent complexity of some issues, and possibly over unrealistic timeframes, will simply lead to confusion and failure.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tInstead, the CISO should start by assessing dependencies between the various parts of the transformative roadmap and group action around broad themes which in turn will focus priorities and investments.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThose themes should be clear, simple to articulate, and structured around explicit goals and milestones.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Delivering through an empowered senior team<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAlthough there will be projects involved in delivering the transformative roadmap, the ultimate objective is to create a sustainable, self-standing transformed security practice. To this end, the re-engineering of their team needs to be the first task for the CISO so that transformation can be delivered through the reshaped team and not only through contingent project resources and consultants.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDefining the right team structure, operating and governance model should be top-priority for the CISO, involving all relevant stakeholders across IT, business and support functions, and also involving all relevant geographies and third-parties.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nStaffing the new team should follow and start top-down, so that the CISO can delegate the transformative burden to empowered senior direct reports. This layer of management once established will take on the duties to staff the rest of their teams and to deliver explicit parts of the transformative roadmap. Finding those people \u2013 internally or externally \u2013 in the current recruitment market could be tough and take time, so starting as early as possible on this phase should be key for the CISO.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFrom there, the delivery of the transformative roadmap can start, but it will be equally crucial for the CISO to ensure that all key personnel are incentivised to stay the course<\/a>, as there might be rough waters ahead.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Sticking to the plan<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tEstablishing realistic timeframes, setting clear goals and finding the right people to drive the transformative efforts through a structured team are key. In parallel, the CISO should continue to get all parties on board behind the right transformative roadmap. This phase could easily take up to 6 months, but it is essential to long-term success.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThere may be quick-wins, or there may not be. The CISO must resist inventing some where there are none and must also avoid knee-jerk reactions which may only damage the long-term case.\n
One thing this is NOT about is implementing more tech; at least not upfront.<\/strong><\/em><\/blockquote>\nThere is no magical technology platform<\/a> or service provider which can be \u2013 on its own \u2013 the answer to a fundamental transformative challenge around cyber security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nTechnology will \u2013 of course \u2013 have a role to play in the transformative effort in most organisations, but the CISO and their team must come to that in due course, and in the right context, set in the right transformative vision, roadmap and operating model. Jumping at tech solutions and tech vendors upfront cannot be the first thing to do.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe overarching challenge for the CISO behind all this lies in getting senior management to see that long-term change is rooted in a long-term vision and long-term planning which takes time to establish.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt may be a hard sell in absence of tactical quick-wins, and a lot will rest on the trust<\/a> between the CISO and their boss, as well as the personal profile, managerial experience and political acumen of the CISO.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tGiven the complexities involved, which are not just technical, but also often rooted in culture and governance, delivering lasting change will always require a structured approach and relentless drive to succeed.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSimply throwing money at the problem in the hope of making it disappear, without a proper consideration of those matters simply leads to failure and can only aggravate the perception by senior stakeholders that security is just a cost and a burden.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

There is no magical technology platform or service provider which can be – on its own – the answer to a fundamental transformative challenge around cyber security. The overarching challenge for the CISO lies in getting senior management to see that long-term change is rooted in a long-term vision and long-term planning which takes time to establish. Simply throwing money at the problem in the hope of making it disappear, without a proper consideration of those matters simply leads to failure and can only aggravate the perception by senior stakeholders that security is just a cost and a burden.<\/p>\n","protected":false},"author":529,"featured_media":3590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[100],"ppma_author":[3178],"class_list":["post-1878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-fraud-amp-risk"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1878"}],"version-history":[{"count":8,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1878\/revisions"}],"predecessor-version":[{"id":36860,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1878\/revisions\/36860"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3590"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1878"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}