People simply trust other people
This excellent November piece from McKinsey on cyber security deserves a comment (“A Framework for Improving Cybersecurity discussions within Organizations” – Jason Choi / Harrison Lung / James Kaplan).
The visualization of the “trust gaps” between the board, the business and IT and the firm, its suppliers and government is a very strong and synthetic way of representing where roadblocks emerge that prevent security strategies from being properly executed, therefore leaving organisations vulnerable to cyber threats.
We highlighted the importance of trust in a broader GRC context in an earlier article, and how dysfunctions breed when distrust sets in.
Of course, it is also true in the cyber security space: Let’s take this opportunity to say this one more time: Firms protect their key assets from cyber threats through the actual deployment of security measures. It’s not having a security strategy, or a plan in place that will protect your organisation but its actual implementation in the field, at the right levels and across the true perimeter of the enterprise, taking into account without complacency the true geographical footprint of the company and its true dependency on vendors and third-parties.
It is strategic execution that is key to protection from cyber threats, and therefore creating the conditions for execution to take place is paramount. Those conditions revolve around trust and closing the “trust gaps” identified in the McKinsey paper.
There are three key factors that will engineer trust and close those gaps:
- Clarity of roles, responsibilities and objectives around cyber security from the board down internally and with third-parties
- Simplicity of language in the formulation of those roles, responsibilities and strategic objectives
- And more importantly, Consistency over the right timeframes and the right budgetary allocations in terms of execution: Transformation in that space can be complex and take time because it often affects people, their culture and their real way of working. There is nothing more efficient at creating distrust on these matters than management changing direction or priorities every time something happens somewhere
It is also essential to reflect on the role and profile of the key people leading strategic execution, and in particular the CISO in the cyber security space.
Large firms are plagued by “ivory tower” head office functions which achieve very little in practice. Cyber security is no exception and is – all too often – one of those. Except that the stakes are getting higher and higher every year, and the time has come to create positive dynamics and break those deadlocks where they exist.
In most cases, navigating around the “trust gaps” and bridging them will require true leadership. The CISO job will never be a job for a junior technologist, an ex-auditor or a life-long consultant. It requires true political acumen and gravitas. Those attributes come with real-life field experience and an in-depth knowledge of the firm, its culture and its people that can only come from a substantial internal tenure, and a considerable managerial experience, in particular when it comes to influencing third-parties. Raising the profile of the CISO will often be key in many firms to efficiently bridge those “trust gaps”.
Because in the end, people will be key to the strategic execution, and people simply trust other people. Internally and externally.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.