BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

20 Tips For Building A Knowledge-Centric Business Culture
How Business Owners Can Strategically Pick SEO Partners
The RAG Effect: How AI Is Becoming More Relevant And Accurate
Empowering Innovation: How Leaders Can Cultivate Creativity And Drive Change
Digital Tools And Sales Force Activation: Upgrade To A Premium Consumer Approach
Want To Innovate As An Entrepreneur? Learn From Top Higher Education Institutions
Edit Story
ForbesSmall Business

The Cybersecurity Parallel Universe: Let's Get Back To Basics

JC Gaillard
Forbes Councils Member
Forbes Business Council
COUNCIL POST
Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author.
| Membership (fee-based)

Founder & Managing Director, Corix Partners | Top CyberSecurity Thought-Leader on Thinkers360 | Author | Blogger | Board Advisor.

I think it's about time we go back to basics with most of our cybersecurity commentaries. After re-reading some articles I wrote years ago, it worries me that I would hardly change a word in a 2016 piece titled “Cyber Security: When True Innovation Consists of Doing Now What You Should Have Done Ten Years Ago.”

Sometimes I wonder if some cybersecurity experts, journalists or tech vendors live in a parallel universe. They would have you believe that quantum computing and its impact on current cryptography or cybersecurity in the metaverse should be on the agenda of any CISO, and that zero-trust (or whatever tech they sell) will solve all the problems of the industry, that all problems come invariably from a lack of “user awareness,” and that all solutions can only involve buying new technical tools (the ones they sell or represent, obviously).

Meanwhile, I've noticed CISOs and other field practitioners struggle with a different reality:

• HR departments are often unwilling to accept a role in joiners and leavers processes or pretend they do not handle sensitive personal data.

• IT departments are still failing at patch deployment or at building a unified CMDB across their estate in spite of 15 years of investments in those areas.

• Legal departments may treat compliance around data privacy as a matter of regulatory risk.

MORE FOR YOU

Rudy Giuliani And Mark Meadows Indicted In Arizona Fake Electors Case

Tupac Shakur’s Estate Challenges Drake Over AI Vocals In Kendrick Lamar Diss Song

As Russian Troops Broke Through Ukrainian Lines Panicky Ukrainian Commanders Had No Choice But To Deploy One Of Their Least Prepared Brigades

Go back to the basics.

In my view, it's about time we go back to basics with most of our cybersecurity commentaries and refocus attention on a few key points:

Ownership of the matter is key. This is no longer about “wheeling in” the CISO in front of the board every year or every time something happens somewhere. This is about the board owning cybersecurity as a board-level topic and handling it as a board-level topic, not as something to delegate down because it is “too technical.”

Cybersecurity is not the responsibility of the security team. Identify key stakeholders across business units, geographies and support functions, and make them accountable for the adequate handling of cybersecurity matters at their level, as part of a structured operating model, under the supervision of a board member.

This is no longer just a matter of throwing money at the problems. Buying more tech and focusing only on operational matters is not likely to help with those where cybersecurity maturity has remained low over the past decades in spite of all investments in that space.

Two aspects are key to acknowledge:

1. Cybersecurity didn’t appear with the Covid-19 crisis or the ransomware epidemic, and doing the basics right can still provide a good degree of protection against threats and a good degree of compliance against regulations.

2. Large organizations have been spending billions collectively with security vendors and consultants over the years, and without identifying where the roadblocks have been in the past which have prevented those investments to come to fruition, nothing is likely to change.

Looking at the topic through that prism will invariably take senior executives toward governance and cultural matters: endemic short-termism leading to adverse prioritization of security matters, incapacity of the organization to look beyond alleged “quick wins,” endless merry-go-rounds of cybersecurity leaders and so on.

Confronting the reality of cybersecurity requires time and commitment.

Real and lasting change takes time and relentless drive, and many large organizations struggle with long-term focus, in particular with complex and transversal matters such as cybersecurity. Nevertheless, I've found this spiral of failure can only be broken top-down, by pragmatic senior executives willing to confront the field reality of their problems in that space, without listening to the hype and the sirens of the tech world.

Cybersecurity problems can only be resolved in the real world, not in the parallel universe of tech vendors.

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?

Follow me on Twitter or LinkedInCheck out my website or some of my other work here
JC Gaillard
JC Gaillard