Cyber Security: The Operational Illusion
Security culture and governance eat tech for breakfast
Looking back at what happened at ground level throughout the COVID crisis, it is clear that the focus has been entirely on operational matters: From moving into remote working at scale for the services industry, to keeping supply chains working for the manufacturing sector, or many retail firms having to re-invent themselves as digital businesses, literally within weeks. It has all been about keeping the lights on, understandably.
Tech and cyber security have been – and still are – at the heart of all this, and, as we wrote back in April 2020, it is hard not to see those sectors coming out as winners once the dust has settled over the pandemic.
But for now, the focus has been entirely tactical; nobody can see beyond the short term, and it is likely to remain the case for the best part of 2021. This is hard to criticize as a business approach given the scale and depth of the crisis, but in many firms, when it comes to cyber security, it is simply perpetuating and aggravating an endemic tendency, which over the past 10 years, has kept CISOs trapped in endless firefighting, has prevented them from developing in terms of leadership and management skills, and has not brought forward the necessary maturity changes around security in terms of governance, organization and culture.
This will be a serious problem in many firms which would have been locked for years in slow-moving and expensive security programmes, and now need to transform their security practices at pace as cyber security has become a pillar of their “new normal”.
It is an illusion to think that all the tactical and operational focus which has been prevailing around cyber security since the start of the pandemic, is transformative.
It might be counter-intuitive but moving past this operational obsession with cyber security is key, as we look ahead, to unlock long-term transformational dynamics.
The idea that the consistent protection of the business from cyber threats can result entirely and purely from the implementation of technical tools – or ad-hoc pen tests for that matter … – is fundamentally flawed, in absence of a coherent overarching vision.
Tactical knee-jerk reactions simply add layer upon layer of technical legacy. Over time, the poor delivery of poorly selected tools breeds distrust with senior management, who can’t help but seeing that breaches continue to happen in spite of the millions spent. The inefficient reverse-engineering of security processes around the capabilities of the tools leads to escalating operational costs, staff shortages and apparent skills gaps. CISOs feel alienated and leave. All this builds a narrative by which security becomes a cost and a problem, and overtime nobody wins.
Throwing money at the problem – for the industries where that is still an option in the midst of the COVID crisis – is not the answer for firms where security maturity has stagnated as a result from decades of under-investment and adverse prioritisation by the business.
More than ever, now is the time to think in terms of People first, then, Process THEN Technology, if the objective is to build a lasting transformational dynamic around cyber security.
It is a vision that has to come from the top and be relayed across all the silos of the enterprise. Cyber security cannot be seen as the responsibility of the CIO or the CISO. It needs to be visible and credible as part of a coherent business purpose, communicated coherently to the staff by senior management, and relayed – and enforced – by a proper governance framework.
It is the embedding of security values in corporate culture and corporate governance that should drive the transformative efforts around cyber security and will lead ultimately to effective cyber resilience.
This is certainly harder to put in place than buying more tech or doing one more pen test, but it is the key to long term transformative success around cyber security, in particular as younger generations become more and more sensitive to clarity of purpose and positive business values.
JC Gaillard
Managing Director
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
Jill Broom
Jill Broom
Jill leads the techUK Cyber Security programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/
Tracy Modha
Tracy Modha
Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
- Email:
- [email protected]
- Phone:
- 02073312000
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/tracymodha83