Security is not about “enabling” the business but “protecting” it
At the end of a keynote speech I gave at the excellent CIOWaterCooler LIVE! Event in London on 28th September 2017 on security organisation, governance and creating the dynamics for change around cyber security, I was asked a challenging question on which I would like to elaborate:
It is true that it is one thing – complex enough – to lead and deliver the cyber security transformation of an organisation that has reached the point where it knows it needs to change, but it is another one – equally complex – to create the condition for such realisation to take place.
Where the business mindset is rooted in short-termism and senior executives are unable to look beyond quick wins and the figures for the next month or the next quarter, how do you get them to the point where they realise that without a greater emphasis on security controls, their business will eventually fall victim to cyber criminals, that cyber-attacks are fast becoming a simple matter of WHEN (not IF), and that the associated impact – financial, reputational – is increasingly impossible to quantify ?
I don’t think this is a battle that can be won through a rational engagement and that essentially, it is rooted in breaking down deep cognitive biases; a situation that has been well analysed by Nobel prize laureate Daniel Kahneman amongst others.
In a pure bottom-up approach, it is my opinion that many CIOs or CISOs are simply wasting their time trying to articulate how security could be a “business-enabler” or trying to calculate some hypothetical “ROI” on security investments. More often than not, these exercises only add a vernacular of business language over the same old tech storyline, and when it comes to ROI calculations, those are often open to considerable margins of errors or plagued by untested and unverified modelling techniques.
This is not the way, in my opinion, you break those cognitive biases and the problem needs to be approached over time in a completely different manner.
Where security maturity is low but the business is incapable or unwilling to prioritise in favour of much needed long-term security transformation efforts, the key is for the CISO and the CIO is to act at two levels:
First, they must keep their head down, and on a daily basis, continue to deliver on those tactical projects the business want them to drive. They must be successful at that. They must develop a positive and successful relationship with their business. They must be seen as adding value (whatever value means to the stakeholders).
At the same time and in parallel to those delivery efforts, they must constantly focus their language towards the business on the reality of the threats it may be facing.
Not on risk which ultimately for the business will always be something that may or may not happen, something you can transfer, mitigate, insure against; not necessarily something you need to DO something about.
And they should stay well clear of cliché-esque business jargon (“security as a business-enabler!”) or business concepts they don’t master properly (“ROI of security!”).
They should stick to their core competences (that’s where they will be successful) and always bring the discussion back to the field of reality: After all, cyber threats are real, virulent, targeting almost all business sectors: Cyber security doesn’t have to excuse itself for existing!!!
Data breach after data breach, incident after incident, newspaper article after newspaper article, the CISO and the CIO need to push those real-life events towards business leaders, picking the right battles and the right timing with each executive.
It will require time, political acumen and a true sense of subtle communication with each business leader, but over time, it will chip away at the defences and create the sense with business leaders that threats are real and internal controls insufficient to ensure adequate protection.
Protecting what you care about is a natural thing for most people, and it should gradually shift priorities towards security matters, where before they were structurally stacked against those objectives, even in the most complex business situations.
But the CISO and the CIO must also build their own credibility up throughout the exercise, as it is their trustworthiness and their ability to deliver the must-needed change effort that will be tested.
And that comes through a demonstrable ability to navigate the political complexity of the firm.
A complex task indeed, in particular in large organisations. Not one that needs vague business jargon, but strong and determined leadership.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.