Chapter 1: The CISO's Challenge in Cyber Security

The ongoing conversation surrounding cyber security consistently emphasizes one vital aspect: Execution, Execution, and Execution.

The brief tenure of Chief Information Security Officers (CISOs) has sparked considerable discussion, particularly in light of the COVID-19 pandemic and the subsequent wave of resignations. This situation prompts an important question: What can a CISO realistically accomplish in a mere two to three years within the intricate realm of cyber security, especially in substantial organizations?

A reader once highlighted that some CISOs are specifically brought on board to implement targeted compliance programs, often departing once their objectives are met, which typically falls within that two to three-year timeframe. However, this raises another concern: What assurances exist that the incoming CISO will build upon the foundation laid by their predecessor? The interpretation and execution of compliance standards can vary widely, and every cyber security professional has their own expertise and focus areas. Consequently, stepping in to execute a program established by someone else can be quite challenging.

In my opinion, the crux of cyber security is still: Execution, Execution, and Execution.

Understanding the necessary actions is largely established, and following cyber security best practices generally safeguards against most threats while ensuring compliance with various regulations. However, implementing these practices effectively across the vast landscape of a modern enterprise has been where many large organizations have faltered over the past two decades, despite significant investments in technology and consultancy services.

Large enterprises are in a constant state of flux, whether through mergers, organic growth, or digital transformation, not to mention the impact of major global disruptions like the 2008-2009 financial crisis or the COVID pandemic. As business priorities and risk perceptions evolve, they follow the cyclical nature of business—these cycles may vary in length and influence the visibility available to leaders at any point in time.

Yet, cyber security operates on different dynamics, particularly in environments where maturity is low, and substantial change is essential to tackle rising threats.

Many senior executives have experienced the aftermath of past failures in execution. Some have witnessed multiple generations of CISOs arrive with ambitious transformation plans, requesting hefty budgets, only to leave after a few years with minimal tangible progress.

The secret to success for new CISOs lies in their ability to demonstrate effective execution within appropriate timeframes, skillfully navigating the political intricacies of large organizations and gaining insights into their operational realities.

This process rarely involves merely acquiring more technology. Instead, it focuses on identifying the obstacles that have historically impeded progress and understanding how these issues intertwine with the organization's culture, ultimately finding ways to eliminate or circumvent them.

Achieving this necessitates real-world management experience, personal gravitas, and political savvy—qualities that surpass mere technical expertise. The CISO cannot achieve transformative change in isolation; they must lead a team of specialists, foster influence, and implement protective measures throughout the organization and its supply chain.

Now more than ever, the pivotal concern for transformational CISOs is time: Effective change takes "the time it takes." They must build the right team and guide the long-term evolution of cyber security practices in an increasingly complex and ever-evolving business landscape.

In addition to recognizing business cycles, CISOs need to be realistic about their expectations for enacting change to position their role for sustained success over the mid to long term. They should also be empowered and incentivized by their organizations to pursue these changes.

This task is significantly more challenging compared to a decade or so ago, when enterprises operated in more self-contained environments. To maintain trust with senior stakeholders, CISOs must consistently focus on delivering results—not only in the short term, where tactical initiatives and urgent issues will inevitably arise, but also strategically over the mid to long term as part of a cohesive vision for safeguarding the business, one that has the endorsement of the Board and all levels of leadership.

Join our newsletter for more insights into Cyber Security Leadership.

Contact Corix Partners to learn about developing a successful Cyber Security Strategy for your organization. Corix Partners is a boutique management consultancy and thought-leadership platform that assists CIOs and C-level executives in navigating Cyber Security Strategy, Organization, and Governance challenges.

Chapter 2: Key Insights from Industry Leaders

In the video titled "If Capital One Listened to Our Podcast They Still Would Have Been Breached," industry experts discuss the critical lessons from high-profile security breaches and the importance of effective execution in cyber security practices.