Don’t Expect Cybersecurity to Work in Firms where Nothing Does

You cannot expect the CISO on their own, bottom-up, to reverse widespread business dynamics, where short-termism prevails everywhere across the business.

I have written at length about the difficulties many large organizations encounter with cybersecurity, and their endemic execution problems when it comes to protecting themselves from cyber threats.

While the diagnostic is relatively clear in my view, there is one aspect that needs repeating, and frames the entirety of the problem in many firms.

You cannot expect cybersecurity projects to deliver in firms where projects — in general — don’t deliver; where there is no accountability against original objectives; where no-one looks beyond alleged quick wins in ANY project.

With business projects, in the end, it all boils down to well-established business concepts: Return on investment, customer acquisition costs, time to market, etc… : You kill or stop (or reframe) a project when it costs too much, goes too slow, or because business priorities have shifted. You simply cut your loses and everyone moves on. It happens all the time, and those decisions may involve multi-million investments; amounts many CISOs would…