Image for post
Image for post

Security culture and governance eat tech for breakfast

Looking back at what happened at ground level throughout the COVID crisis, it is clear that the focus has been entirely on operational matters: From moving into remote working at scale for the services industry, to keeping supply chains working for the manufacturing sector, or many retail firms having to re-invent themselves as digital businesses, literally within weeks. It has all been about keeping the lights on, understandably.

Tech and cyber security have been — and still are — at the heart of all this, and, as we wrote back in April 2020, it is hard not to see those sectors coming out as winners once the dust has settled over the pandemic. …

Image for post
Image for post

The Cyber Security Transformation Podcast

A weekly independent podcast with a different take on what’s happening in the cyber security industry

Throughout the second part of 2020, together with Steve Lamb and guests, we have shared our views in a weekly podcast on both the interesting news stories of the week and our own experiences, drawing on decades of real-life experience.

Aimed at CIOs and other C-level executives with a passion for cyber security and delivered most Friday morning, each 10 to 15 minute episode is framed around an open discussion focused on a particular topic, from security budgets to the evolving role of the CISO or the impact of ransomware and COVID-19. …

Image for post
Image for post

Transformational opportunity for firms, or tactical trap for the CISO?

As the COVID crisis continues to develop, one thing is becoming clearer and clearer: Remote working is here to stay, in some form or another; probably as hybrid work. Technically, it has scaled, and it has worked. Throughout the pandemic, it has enabled many industries worldwide to continue operating, and many people to keep their jobs.

From an acceptance perspective, it’s another story. I am yet to meet a single person who would endorse it fully. At one extreme, it disturbs family life, increases isolation, and can lead to depression or burnout. …

Image for post
Image for post

Protecting the Public or Protecting Big Business?… The recent downgrading of fines by the UK ICO for British Airways and Marriott raises some questions.

Let’s face it: During the second half of October 2020, we probably came across the first major milestone since GDPR came into force on 25th May 2018: The downgrading by the UK ICO of the fines it had proposed in the summer of 2019 in relation to the 2018 data breaches at British Airways and Marriott.

The UK regulator probably intended to showcase its business acumen and its understanding of the situation those industries are going through with the COVID crisis, but in practice, it is likely to be seen over time as a sign of weakness, and it definitely sets a precedent. …

Image for post
Image for post

The key challenges of the transformational CISO are not technological, but managerial.

There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their tenure, the levels of stress they’re under, and the burnout epidemy they’re suffering.

But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you’d quickly realise that there is a fair amount of creative writing involved in a lot that’s being posted.

It is easy to write about “the CISO” thinking this is a fully established C-level role and one of the pillars of corporate governance. In practice, this is far from being the case and the harsh reality is that the role itself is far from mature, in spite of having been in existence — in some shape or another — for about two decades. …

Image for post
Image for post

Why large organizations still struggle with decade-old security problems — and how to fix them

I have been involved with information security matters for over 20 years and started writing regularly on the topic in 2015.

Talking to CISOs, CIOs, CEOs and their teams as part of my day-to-day field work as consultant, I was horrified by what I was seeing in too many large corporates in terms of security maturity levels and the actual problems some were still struggling with — something that goes way beyond anecdotal evidence and is at the heart of survey after survey every year.

After all, information security good practices have been well established for over 20 years and many industry bodies have been promoting them and evolving them throughout that period.

Why is it that large firms which have had fully functioning information security teams in place all that time, and have spent — collectively — hundreds of millions on the topic if not more on cyber security, are still struggling today with issues — such as patch management — which should have been on their radar for over 10 years?

There is truly a cyber security lost decade for many between the CodeRed, Slammer and Blaster outbreaks of 2001–2003 and the Wannacry and Not Petya attacks of 2017.

By failing to get the basics right in terms of security during that time while continuing to engage in massive cloud-driven business transformation programmes which have turned the enterprise into a truly borderless hybrid, many large firms have dramatically increased their level of exposure to cyber threats. And now the acceleration of the digital transformation emboldened by the COVID crisis — which is also creating unprecedented budgetary tensions — is making things even more complex. And politicians and regulators are now involved as the GDPR and CCPA have shown us over the past few years.

At Board level, the “when-not-if” paradigm around cyber-attacks has taken root, but it creates fundamentally different dynamics for CISOs and CIOs, as the focus shifts radically from risk and compliance towards execution and delivery, often in exchange of massive investments around security (at least pre-COVID).

To embed those different dynamics around cyber security and make true progress, large organisations must stop thinking of the topic in pure technological terms, look back and address urgently the underlying cultural and governance issues that have been the true roadblocks of that “lost decade”.

This is the theme I have been developing over the past 5 years through my contribution to the Corix Partners blog and every year since 2017, I have been releasing a selection of key articles in print, grouped by themes, this year with a full section on the COVID-19 crisis and its implications for security leaders.

I am delighted to launch the 2020 edition today, and you can now buy it here on Blurb. I hope readers will find its content thought-provoking and that it will help some move forward. …

Image for post
Image for post

The security industry must rebuild its narrative to attract more raw talent at all levels

You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views.

But there are at least two sides to this argument and the situation requires a more balanced approach.

There is no doubt — first of all — that the cyber security industry still has an image problem. It often carries a dated tech-heavy narrative and ends up being perceived as an obscure and complex technical niche, something reserved to nerds and geeks: When the excellent ladies of the CEFCYS in Paris published their first guide to the cyber security professions earlier this year, they titled it “I don’t wear a hoodie, yet I work in cyber security”… (“Je ne porte pas de sweat à capuche, pourtant je travaille dans la…

Image for post
Image for post

This is not just about tech, and there is no tech silver bullet which can buy you cyber resilience

The COVID crisis is presenting most businesses with unprecedented situations — for good, bad or worse. Uncertainty still dominates but the recession ahead is likely to be deep and could be protracted. Millions of people have already lost their jobs across the world, and many organisations are bracing for further significant spending cuts, in the face of a dwindling economic activity. Even in thriving sectors, budgetary caution seems to be the norm amongst C-level executives.

One thing the pandemic has not pushed off the radar, is cyber security. As a matter of fact, the volume of cyber-attacks increased to “alarming levels” according to Interpol during the heart of the crisis. For businesses now totally dependent on remote working, e-commerce or digital supply chains, a serious security breach is the last thing they…

Image for post
Image for post

Empirical, bottom-up and organically developed cyber security functions need to evolve

The 2020 Information Security Maturity Report from ClubCISO makes interesting reading.

It compiles responses from 100 of their members to a questionnaire sent in March 2020, around the time of the COVID-19 lockdown decision in the UK. Comparing results year or year is not entirely meaningful for such surveys, in absence of any form of data normalisation (you have no guarantee that the panel responding is the same year on year); yet some interesting patterns emerge.

The typical respondent is a CISO working for a mid-size or large organisation (82% have more than 500 staff), headquartered in the UK or Ireland (75%), and has spent more than 10 years in the Infosec industry (69%); 60% have been in their present role for less than 2 years. …

Image for post
Image for post

The COVID crisis has not changed the cyber security fundamentals: What will the new normal be like?

Two recent reports highlight the current cyber security paradox: While the COVID pandemic has turned business and society upside down, well-established cyber security practices — some known for decades — remain the best way to protect yourself.

It might not be the message the authors of those reports wanted to convey, but it remains the dominant impression.

The first one, from the World Economic Forum, published in May (“Cybersecurity Leadership Principles: Lessons learnt during the COVID-19 pandemic to prepare for the new normal” — WEF — 26 May 2020) is once again a superlative summary of good practices, which in the end hardly moves the needle. …


JC Gaillard

Founder & MD @CorixPartners | Co-president #CyberSecurity Group @TelecomParisAl | Non Executive Director | Author | Blogger | Cyber Security Leader

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store