Many large organizations now assume that breaches are simply inevitable due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors that come with those business models. This realization changes fundamentally the dynamics around cybersecurity.
Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always harder factors. Risk (difficult to measure and quantify) was always some form of adjustment variable.
Risk is about uncertainty. The “When-Not-If” paradigm brings certainty where doubt was previously allowed (or used to manipulate outcomes):
- Cyber-attacks will happen
- Sooner or later, regulators will step in
- They can now impose business-threatening fines around the mishandling of personal data
- Media interest has never been higher around those matters; business reputation and trust in a brand will be damaged by high-profile incidents
All the risk-based constructions which have been the foundations of many cybersecurity management practices are weakened as a result.
Compliance requirements remain (if anything, they are getting stronger as privacy regulators flex their muscles in Europe and the US) and costs cannot be ignored, but “are we spending enough?” has become a much more common question across the boardroom table, than “why do we need to spend so much?”
Role of Chief Information Security Officers
For Chief Information Security Officers (CISOs), protecting the firm becomes imperative. This is no longer about doing the minimum required to put the right ticks in compliance boxes, but very often a matter of genuine transformation. It forces them to work across corporate silos, look beyond the mere technology horizon, which is often their comfort zone, and also look beyond tactical firefighting which often dominates their day-to-day.
Knowing what to do is often the easiest part. After all, good practices in the cybersecurity space have been well known for over a decade, and they still provide adequate protection against many threats, as long as they are properly implemented.
True cyber resilience can only come from in-depth real defense, acting at preventive, detective, mitigative and reactive levels, across the real breadth of the enterprise, functionally and geographically.
“When-Not-If” Paradigm Shifting the Approach
The “When-Not-If” paradigm will often bring the Board’s attention and large resources to cybersecurity, but with those come scrutiny and expectations. The challenge really becomes an execution and a leadership challenge for the CISO.
In large firms where a major overhaul of security practices is required, establishing a sound governance framework and operating model from the start will always be a key factor of long-term success for the CISO.
Equally important will be the need to put people and process first and identify the roadblocks which might have prevented progress in the past around cybersecurity matters.
Repeating the mistakes of the past would simply perpetuate the spiral of failure around security, as would an excessive or premature focus on tech solutions. There is no magical technology product that can fix in a few months what is rooted in decades of adverse prioritization, lip service and underinvestment.
The CISO must appreciate that and place all transformation efforts in the right perspective: Change takes time and relentless drive, and there may not be quick wins.
Managing expectations and staying the course will always be key pillars of any lasting cybersecurity transformation.