Security culture and governance eat tech for breakfast
Looking back at what happened at ground level throughout the COVID crisis, it is clear that the focus has been entirely on operational matters: From moving into remote working at scale for the services industry, to keeping supply chains working for the manufacturing sector, or many retail firms having to re-invent themselves as digital businesses, literally within weeks. It has all been about keeping the lights on, understandably.
Tech and cyber security have been – and still are – at the heart of all this, and, as we wrote back in April 2020, it is hard not to see those sectors coming out as winners once the dust has settled over the pandemic.
But for now, the focus has been entirely tactical; nobody can see beyond the short term, and it is likely to remain the case for the best part of 2021. This is hard to criticize as a business approach given the scale and depth of the crisis, but in many firms, when it comes to cyber security, it is simply perpetuating and aggravating an endemic tendency, which over the past 10 years, has kept CISOs trapped in endless firefighting, has prevented them from developing in terms of leadership and management skills, and has not brought forward the necessary maturity changes around security in terms of governance, organization and culture.
This will be a serious problem in many firms which would have been locked for years in slow-moving and expensive security programmes, and now need to transform their security practices at pace as cyber security has become a pillar of their “new normal”.
It is an illusion to think that all the tactical and operational focus which has been prevailing around cyber security since the start of the pandemic, is transformative.
It might be counter-intuitive but moving past this operational obsession with cyber security is key, as we look ahead, to unlock long-term transformational dynamics.
The idea that the consistent protection of the business from cyber threats can result entirely and purely from the implementation of technical tools – or ad-hoc pen tests for that matter … – is fundamentally flawed, in absence of a coherent overarching vision.
Tactical knee-jerk reactions simply add layer upon layer of technical legacy. Over time, the poor delivery of poorly selected tools breeds distrust with senior management, who can’t help but seeing that breaches continue to happen in spite of the millions spent. The inefficient reverse-engineering of security processes around the capabilities of the tools leads to escalating operational costs, staff shortages and apparent skills gaps. CISOs feel alienated and leave. All this builds a narrative by which security becomes a cost and a problem, and overtime nobody wins.
Throwing money at the problem – for the industries where that is still an option in the midst of the COVID crisis – is not the answer for firms where security maturity has stagnated as a result from decades of under-investment and adverse prioritisation by the business.
More than ever, now is the time to think in terms of People first, then, Process THEN Technology, if the objective is to build a lasting transformational dynamic around cyber security.
It is a vision that has to come from the top and be relayed across all the silos of the enterprise. Cyber security cannot be seen as the responsibility of the CIO or the CISO. It needs to be visible and credible as part of a coherent business purpose, communicated coherently to the staff by senior management, and relayed – and enforced – by a proper governance framework.
It is the embedding of security values in corporate culture and corporate governance that should drive the transformative efforts around cyber security and will lead ultimately to effective cyber resilience.
This is certainly harder to put in place than buying more tech or doing one more pen test, but it is the key to long term transformative success around cyber security, in particular as younger generations become more and more sensitive to clarity of purpose and positive business values.