{"id":2410,"date":"2020-04-28T10:02:23","date_gmt":"2020-04-28T10:02:23","guid":{"rendered":"http:\/\/kusuaks7\/?p=2015"},"modified":"2023-12-13T11:41:23","modified_gmt":"2023-12-13T11:41:23","slug":"cyber-security-maturity-stagnates-because-cisos-are-structurally-prevented-from-looking-beyond-day-to-day-firefighting","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/cyber-security-maturity-stagnates-because-cisos-are-structurally-prevented-from-looking-beyond-day-to-day-firefighting\/","title":{"rendered":"Cyber Security maturity stagnates because CISOs are structurally prevented from looking beyond day-to-day firefighting"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The Tactical Trap<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany CISOs struggle to look beyond day-to-day firefighting<\/a> and get trapped in tactical games. We highlighted this last year in the context of our \u201c100 Days<\/a>\u201d series and it is one of the major factors preventing organisations from developing better levels of cyber security maturity.\n\nIn many firms, this goes beyond incidents and the natural need to address those: It is often compounded by 3 structural elements literally trapping the CISO in tactical games, forcing endemic short tenures<\/a> and creating the conditions for a systemic spiral of failure around cyber security.\n\nFirst, corporate short-termism,<\/strong> which is still prevalent in many organisations amongst senior executive communities:\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\u201cIn the long term, we\u2019re all dead\u201d and anything that would not impact the next quarter figures does not grab interest for very long. Cyber security matters are being pushed towards those levels of management by non-stop media reports around data breaches and the potential level of GDPR fines, but when faced by multi-year, 7 or 8 digits transformative programmes of work around security that would genuinely force the firm to alter the way it works, those executives often revert to what they\u2019ve been doing for decades around compliance: Looking for quick-wins and cheap boxes to tick so that they can \u201cshow progress\u201d while minimising spend and disruption.<\/p>

\u00a0<\/p>

The problem with cyber security, is that organisations facing that type of problems are generally in need of a structural overhaul of their security practices, and \u201cquick wins\u201d are often non-existent. Driving real and lasting change takes time. Simply \u201cfixing\u201d illusory quick wins has never been the base of any transformation.<\/p>

\u00a0<\/p>

\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Second, plain old office politics <\/strong>between IT and Security which have always been a component of the life of many CISOs, irrespective of their reporting line<\/a> (and this is undoubtedly worse where the CISO does not report to the CIO):<\/p>

Technologists are trained and incentivised to deliver functionality, not controls, and many, over the past decades, have developed a culture which sees security measures as constraints instead of requirements.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany CISOs are constantly bombarded by \u201curgent\u201d requests to define security measures coming from IT people who should know better but are just \u201cpassing the buck\u201d.\n\nThe CISOs often feel that they would fail by not responding, not realising that this is a game they cannot win, and a form of political and emotional blackmail which must be avoided, especially outside large organisations where teams and resources tend to be smaller: The CISO and their team simply cannot be expected to be deep technical security experts on all technology streams and across all platforms, or to \u201cdrop everything\u201d at any time to help projects.\n\nOf course, they can rely on external skills (budgets permitting), but fundamentally roles, responsibilities and demarcation lines should be clear, and resources placed where they should be: The security of IT systems should be the responsibility of the respective IT teams. The security team should assist, validate and control while retaining a degree of independence. This is the spirit of all organisational models developed over the past 20 years around IT security. It should be clear and the CISO and their boss should have the backbone to enforce it.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFinally, in many cases, the greed<\/a> of the tech industry<\/strong>, which is only aggravating the situation:\n\nFor each of those alleged \u201cquick wins\u201d or \u201curgent\u201d issue to fix, there are countless vendors bidding to sell their stuff to put a tick in that box, irrespective of any bigger picture.\n\nThis is a pressure the CISO must resist. Over time, this accumulation of point solutions simply leads to a product proliferation<\/a> problem which makes everything more difficult for the CISO and their team: From incident management to compliance reporting, security operations become burdened by the need to collect data across multiple platforms often in inconsistent formats, resources requirements escalate, and it aggravates the perception that security is just a cost and a pain, instead of a necessary barrier against real and active threats.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe CISO and IT must build the discipline to work with a small number of security vendors and service providers around which they can structure effective and efficient security operations, properly segregated, proportionate to the threats the business is facing and the resources available to fight them.\n\nClarity of roles and responsibilities across Security and IT, and a clear approach putting People and Process first ahead of ready-made Technology solutions, are the basis on which the CISO can avoid the tactical trap. It is also the only basis over which cyber security maturity can grow, across any organisation, large or small.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Many CISOs struggle to look beyond day-to-day firefighting and get trapped in tactical games. In many firms, this goes beyond incidents and the natural need to address those. Clarity of roles and responsibilities across Security and IT, and a clear approach putting People and Process first ahead of ready-made Technology solutions, are the basis on which the CISO can avoid the tactical trap. It is also the only basis over which cyber security maturity can grow, across any organisation, large or small. <\/p>\n","protected":false},"author":529,"featured_media":4318,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[100],"ppma_author":[3178],"class_list":["post-2410","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-fraud-amp-risk"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=2410"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2410\/revisions"}],"predecessor-version":[{"id":34907,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2410\/revisions\/34907"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/4318"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=2410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=2410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=2410"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}