Cybersecurity is Not Working: Time to Try Something Else

The bottom-up approaches most have been pushing for 20 years around cybersecurity have simply failed

I am delighted to share below the foreword to my latest book “The Cybersecurity Spiral of Failure — and How to Break out of It” >> Buy it here on Amazon

I think it is time to accept that the role of the CISO, in its historical construction, was never born out of a positive and proactive management decision.

It was very rarely created — at first — in response to the true realization by senior management of the need to protect the business from real and active threats.

The original iteration of the role, in the late nineties for the early adopters, belongs to that first decade of infosec, which was entirely dominated by risk and compliance considerations: The Security Transformation Research Foundation established this quite clearly through its 2019 semantic analysis of the content of 17 annual Global Security Reports from EY.

Information security was simply seen by senior execs as a constant balancing act between regulatory compliance, risk appetite, and — above all — costs.

The role of the CISO appeared in that context at best in response to audit or…