Cybersecurity is Not Working: Time to Try Something Else | by JC Gaillard | Security Transformation Leadership | Jan, 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Security Transformation Leadership

I am delighted to share below the foreword to my latest book “The Cybersecurity Spiral of Failure — and How to Break out of It” >> Buy it here on Amazon

I think it is time to accept that the role of the CISO, in its historical construction, was never born out of a positive and proactive management decision.

It was very rarely created — at first — in response to the true realization by senior management of the need to protect the business from real and active threats.

The original iteration of the role, in the late nineties for the early adopters, belongs to that first decade of infosec, which was entirely dominated by risk and compliance considerations: The Security Transformation Research Foundation established this quite clearly through its 2019 semantic analysis of the content of 17 annual Global Security Reports from EY.

Information security was simply seen by senior execs as a constant balancing act between regulatory compliance, risk appetite, and — above all — costs.

The role of the CISO appeared in that context at best in response to audit or regulatory observations, at worst, at their imposition, and almost as a necessary evil in some cases.

Of course, the role has evolved since then, but an entire generation of security practitioners has been trapped in a bottom-up mindset, always in search of ways to justify its legitimacy towards the business.

This is amply demonstrated by the endless debate around the CISO’s reporting line, and in particular the obsession of some with a board-level reporting, or the evolution of the role in some firms towards IT Risk or Information Risk constructions, attached to a broader Enterprise or Operational Risk function.

Generally, those moves, all well-intentioned and aimed at broadening the acceptance of necessary security measures across the firm, have rarely worked to a full extent.

Over two decades, those bottom-up approaches have collided with endemic corporate short-termism and dysfunctional…


Click Here For The Original Source.

National Cyber Security