Image for post
Image for post

Over recent years, the GRC (Governance, Risk and Compliance) acronym has become very common in the Information Security community. Various groups discuss the topic actively on professional social media, and countless software and service vendors appear to be offering solutions in that space. There seems to be a variety of views on the topic and a number of competing approaches or practices.

At face value, it is easy to see Information Security Governance, Risk Management and Compliance as three different disciplines. But it can also make a lot of sense to bundle them into one concept, leading to a sound…


Image for post
Image for post

Only a cultural shift across the Boardroom can move the needle

The survey released by BT Security in January 2021 (“CISOs under the spotlight”) is interesting, if only by the size of the population surveyed (over 7,000 people) and its triple focus on consumers, employees and business leaders.

But its findings are problematic, in particular in what they reveal of the attitude of senior executives towards cyber security, and the persistence of some problems at the top.

It starts well, with some stats broadly consistent with other surveys and anecdotal field evidence: 58% saying that improving data and network security has become more important to their organisation in the last year…


Image for post
Image for post

The protection of the business from cyber threats is something you need to grow, not something you can buy

The role of the Board in relation to cyber security is a topic we have visited several times since 2015, first in the wake of the TalkTalk data breach in the UK, then in 2019 following the WannaCry and NotPeyta outbreaks and data breaches at BA, Marriott and Equifax amongst others. This is also a topic we have been researching with techUK, and that collaboration resulted in the start of their Cyber People series and the production of the “CISO at the C-Suite” report at the end of 2020.

Overall, although the topic of cyber security is now definitely on…


Image for post
Image for post

Security culture and governance eat tech for breakfast

Looking back at what happened at ground level throughout the COVID crisis, it is clear that the focus has been entirely on operational matters: From moving into remote working at scale for the services industry, to keeping supply chains working for the manufacturing sector, or many retail firms having to re-invent themselves as digital businesses, literally within weeks. It has all been about keeping the lights on, understandably.

Tech and cyber security have been — and still are — at the heart of all this, and, as we wrote back in April 2020, it is hard not to see those…


Image for post
Image for post

The Cyber Security Transformation Podcast

A weekly independent podcast with a different take on what’s happening in the cyber security industry

Throughout the second part of 2020, together with Steve Lamb and guests, we have shared our views in a weekly podcast on both the interesting news stories of the week and our own experiences, drawing on decades of real-life experience.

Aimed at CIOs and other C-level executives with a passion for cyber security and delivered most Friday morning, each 10 to 15 minute episode is framed around an open discussion focused on a particular topic, from security budgets to the evolving role of the…


Image for post
Image for post

Transformational opportunity for firms, or tactical trap for the CISO?

As the COVID crisis continues to develop, one thing is becoming clearer and clearer: Remote working is here to stay, in some form or another; probably as hybrid work. Technically, it has scaled, and it has worked. Throughout the pandemic, it has enabled many industries worldwide to continue operating, and many people to keep their jobs.

From an acceptance perspective, it’s another story. I am yet to meet a single person who would endorse it fully. At one extreme, it disturbs family life, increases isolation, and can lead to depression or burnout. …


Image for post
Image for post

Protecting the Public or Protecting Big Business?… The recent downgrading of fines by the UK ICO for British Airways and Marriott raises some questions.

Let’s face it: During the second half of October 2020, we probably came across the first major milestone since GDPR came into force on 25th May 2018: The downgrading by the UK ICO of the fines it had proposed in the summer of 2019 in relation to the 2018 data breaches at British Airways and Marriott.

The UK regulator probably intended to showcase its business acumen and its understanding of the situation those industries are going through with the COVID crisis, but in practice, it is likely to be seen over time as a sign of weakness, and it definitely…


Image for post
Image for post

The key challenges of the transformational CISO are not technological, but managerial.

There is still a vast amount of debate across the cyber security industry about the role of the CISO, their reporting line, their tenure, the levels of stress they’re under, and the burnout epidemy they’re suffering.

But looking into the actual profile of real people in those jobs, talking to them and listening to their problems, you’d quickly realise that there is a fair amount of creative writing involved in a lot that’s being posted.

It is easy to write about “the CISO” thinking this is a fully established C-level role and one of the pillars of corporate governance. In…


Image for post
Image for post

Why large organizations still struggle with decade-old security problems — and how to fix them

I have been involved with information security matters for over 20 years and started writing regularly on the topic in 2015. Talking to CISOs, CIOs, CEOs and their teams as part of my day-to-day field work as consultant, I was horrified by what I was seeing in too many large corporates in terms of security maturity levels and the actual problems some were still struggling with — something that goes way beyond anecdotal evidence and is at the heart of survey after survey every year. After all, information security good practices have been well established for over 20 years and…


Image for post
Image for post

The security industry must rebuild its narrative to attract more raw talent at all levels

You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views.

But there are at least two sides to this argument and the situation requires a more balanced approach.

There is no doubt — first of all — that the cyber security industry still has an image problem. It often carries a dated tech-heavy narrative and ends up being perceived as an obscure and complex technical niche, something reserved to nerds and geeks: When the excellent ladies of the CEFCYS in Paris published their first guide to the…

JC Gaillard

Founder & MD @CorixPartners | Co-president #CyberSecurity Group @TelecomParisAl | Non Exec Director @Strata_Sec | Board Advisor | Author | Cyber Security Leader

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store