Time to Deal with Cyber Security Strategically, and from the Top Down

This is no longer just about tech — if it ever was

Surveys focused on the concerns and priorities of the CISO community have been quite consistent over the last few years, and collectively, they paint a slightly uncomfortable picture: The picture of CISO roles and security practices still operating bottom up, disconnected from the dynamics of the business and the broader culture of their organisation.

In spite of the non-stop avalanche of cyber-attacks we have seen over the past decade, many CISOs still complain about lack of board-level engagement and difficulties in getting sufficient budgets.

The overall sentiment is one of frustration, leading to (well-documented) shorter tenures and burnout problems.

But another aspect which is often overlooked in the background, is the lack of operating structure many cyber security practices seem to have.

Instead of being built around some form of operating model that would detail processes, tasks, roles and responsibilities for all stakeholders, they seem to be driven by projects (in proactive or reactive mode) and operational tasks aggregated over time (exception management for some, privileged access management for others etc…)