Here is a scenario we are seeing far too often in the field: A new CIO comes in, identifies security problems, then nothing serious happens. At best, some tactical initiative would be pushed forward to answer outstanding audit issues, or a big gun of the industry called in to deliver countless slides out of which some hypothetical 'quick wins' would be enacted to calm the Board about cyber risks.
Why so many incoming CIOs seem to be so cautious on cyber security at early stages of their tenure, in the face of glaring internal issues and constant reminders of data breaches in the news, is a worrying question. Their answers are invariably the same: They have 'more pressing problems elsewhere', 'bigger fishes to fry', 'the business won’t wear it', 'budgets are too tight'; a new organization is due to be announced 'next week' or 'next month', they’ll 'come to it' in due course, “next year”, “once the new CEO has decided where priorities should be” etc…
In most large firms, those have to be seen as poor excuses: The CIO would often have hundreds of staff in their teams, tens of millions in annual budget, and a significant direct sign-off limit consistent with their Board-level reporting line. In a context where everything runs in parallel and everything costs money, the truth is that addressing cybersecurity shortcomings from the start is often a mere matter of priorities for any new CIO.
Priorities and personal courage, because the reality is that underlying security problems are invariably complex and involve a combination of organizational, technical and managerial issues:
- Legacy InfoSec teams buried in the org chart, poorly staffed, poorly skilled forced into a constant, tactical and technical firefighting.
- Expensive technical security initiatives half-deployed, poorly sold to business and IT staff because they are always designed as point solutions to specific problems in absence of any bigger picture, and as a result perceived as a burden and a waste of money.
- Senior management very willing to accept cyber risk as a top risk for the firm, but at the same time, refusing to adhere themselves to basic rules of security hygiene when it comes to mobile devices or passwords (rules that they are otherwise happy to impose on all other members of staff).
Standing up to the Board on those matters to tell them what they need to have, not just give them what they want, takes some gravitas, but should elevate the role of the CIO, not diminish it. For most large and complex firms, if cyber security maturity is low because nothing structured has ever been done in that space in the past, a data breach is merely a question of time. And, given current levels of media and political interest on these topics, gambling on it could be costly in a number of ways (financially or reputationally for the firm; personally for the CEO), as amply demonstrated by the TalkTalk data breach in the UK in 2015.
Not only is waiting for something to happen a dangerous game, but it often leads to absurd knee-jerk reactions which simply perpetuate the pre-existing short-termist approach to security without creating any fundamental change momentum.
Incoming CIOs should not be scared to launch into a cyber security transformation programme in the early stages of their tenure if they see a need, and good governance around cyber security is fast becoming 'the most important criterion for an organization to feel well protected', as highlighted by a short survey from recruitment firm Boyden (“Cybersecurity: Is your Board on board?”) collating feedback from 36 top CIOs.
Of course, there may be legacy people problems to resolve and those may take time, but overall, building a sound security organisation and operating model, able to reach and operate across the whole firm, is often the best start. Many security problems cut across corporate silos (into HR, legal, business disciplines) and a strong CISO with true management experience – not a mere firefighter, or a technology hobbyist – can be a strong ally for the CIO in broader transformational battles across IT or the business.