Focusing ONLY on tactical firefighting is a major mistake, even in a global pandemic
The last twelve months have changed things considerably for the CISO. Cyber security has been centre-stage, and even more now after the SolarWinds and Colonial hacks. Still, this could be a blessing or a curse.
The pandemic keeps evolving on a global scale, and while some countries may be reaching the end of the tunnel, others are still in the midst of the most dramatic phases.
Global business is still significantly impacted, and there is no sign of a “new normal” in sight for many industries.
Still, people are changing jobs, and CISOs in particular, as many firms wake up to the need to ramp up cyber security measures in the face of the accelerated digitization of their business or their large-scale move to remote working.
But, in the face of the new situation created by the pandemic, the approach we highlighted back in 2018 around the “First 100 Days of the CISO” needs adjusting.
It still makes sense for any incoming executive to approach their first period in a new job in a structured way, to meet with business stakeholders and listen to their expectations first in relation to the role, then to build a strategic framework addressing those, and then an execution framework to deliver it.
But two aspects have changed fundamentally:
While stakeholders are more likely to recognise cyber security as an important agenda item, they are still likely to be focused on short-term objectives, either in terms of crisis response or in terms of bounce-back strategy. They may not be receptive to long-term views; as a matter of fact, they may not have any form of long-term visibility for the moment, as the global pandemic continues to unfold world-wide.
That’s the second main issue: 100 days is probably an irrelevant timeframe here, irrespective of how you frame it (back in 2018, we articulated it into 6 days, 6 weeks and 6 months encompassing around 100 business days). Nobody can be sure how the world will be like in 100 days, let alone in 6 months.
So how should an incoming CISO approach their new role?
Meeting with key stakeholders and team members as soon as realistically possible, and listening to their objectives, concerns and priorities, is still key as a starting point.
Back in 2018, we strongly advocated in favour of travelling and meeting face to face – where required – to develop a stronger personal bond: This is not likely to be possible for the short-term, so most of those discussions will have to take place remotely. Let’s face it: This is a problem, and the absence of direct personal interaction could distort the perception the new CISO develops of the firm and its culture – for good or for bad. The most important for the CISO at this stage is to remain aware of that. But establishing direct communication channels with the business – as solid as they can be at the moment – is more essential than ever.
Second, it is likely – as we have already highlighted – that a short-termist agenda will emerge from those discussions. The temptation will be extremely high for the CISO to focus only on alleged low-hanging fruits and on firefighting, at least until the worst of the crisis is over. To be honest, this is the way many CISOs have traditionally approached their first 100 days anyway, so more than a “temptation”, it will be a line of least resistance – or even a well-trodden path – for some.
As a matter of fact, we highlighted back in 2018 that it was a dangerous path to follow and a “curse”, unlikely to lead to the development of truly transformational dynamics around cyber security: That is still the case, but, realistically, it will be a trend difficult to oppose for the new CISO.
In fact, this is the very element that makes the new first 100 days of the CISO far more complex than ever before.
It is no longer just a matter of balancing tactical and strategic objectives while validating strategy and execution frameworks; it could be about doing this in absence of clear strategic visibility from the business, as the path out of the COVID crisis emerges, and in a context where those directions may evolve or change, depending on the turns the crisis may still take.
The new CISO must talk constantly with business stakeholders, to understand how this context is moving, and build their own cyber security strategic options – possibly scenario-based, and ready to be embedded into the post-crisis business strategy as it aggregates. And all this in parallel to short-term tactical work to keep the lights on.
Make no mistakes: This is now becoming a matter of survival for the CISO role at any form of senior leadership level.
“Constant firefighting downgrades the role and the CISO must fight to avoid its gravitational pull” we wrote back in 2018.
Focus ONLY on low-hanging fruits and alleged quick wins, fail to leverage on the opportunities presented by the pandemic to cement cyber security as a true dimension of business strategy, and the new CISO could find their role relegated forever to middle-management layers, alongside other technical operational matters.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.