Home previous-editionsEnews-Sept 2023 The cybersecurity spiral of failure (and how to break out of it)

The cybersecurity spiral of failure (and how to break out of it)

by JC Gallard

For the past two decades, many organizations have been trapped in a spiral of failure around cybersecurity, driven by endemic business short-termism and the box-ticking culture of many executives around compliance.

Cybersecurity is a complex matter that needs to reach a long way out of its native technical niche, towards business and support functions, and across geographies.

Successful transformation in that space takes time because of the need to reach across those, and effectively embed secure practices across the culture of the firm.

In real-life, many senior executives struggle with a genuine long-term view. “In the long-term we are all dead” and many CISOs coming up with multi-year transformative plans would have been forced by their bosses to focus tactically on alleged quick-wins and compliance box-ticking measures to get their plans accepted, before seeing their initiatives deprioritized at the first sign of any business development (merger, acquisition, arrival or departure of senior executives, economic downturn or anything else)

All this has been fuelling the short-tenure of CISOs and the succession of cyber security leaders – each coming in with their own priorities, pet subjects and pet products – simply led, in many firms, to an accumulation of poorly-deployed, under-utilized “solutions”, invariably architected around the specific capabilities of individual technical tools.

This proliferation of technical debt has reached colossal proportions, with a TrendMicro survey (amongst others) suggesting last year that “global organizations have on average 29 securitymonitoring solutions in place”.

It breeds a level of operational complexity which is highly expensive to run, but also talent-attritive due to the inherently manual nature of the processes it creates; we have reached a point where many security practices have become impossible to scale up in their current state due to the ongoing tensions on the skills market.

SOC analysts burnout; breaches keep happening and senior executives develop a sense that cyber security is just a cost and a problem, which compounds their distrust and reluctance to commit resources (in the face of endemic execution failure in that space), and their native short-termist and box-ticking tendencies (in the face of endless incidents and the regulatory pressure that situation brings).

Author

You may also like