Posts by: jcgaillard

Stop Chasing Budget—Start Earning Trust

Two articles crossed my desk in early 2025 that highlight themes I’ve been advocating for over five years—ideas that now demand a broader perspective.

The first, based on Forrester research, labels 2025 as the “year of fiscal accountability” for CISOs, noting that boards increasingly expect clear returns on cybersecurity investments. (“Forrester on cybersecurity budgeting: 2025 will be the year of CISO fiscal accountability” Louis Columbus, VentureBeat, December 30, 2024.)

This aligns closely with what we’ve been saying since 2019 at the Security Transformation Research Foundation. Our research on the evolution of cybersecurity has tracked a clear shift in priorities since the late 1990s, when the field began gaining traction in the business world.

In our view, the 21st century’s cybersecurity journey can be divided into three distinct eras:

• The 2000s: Dominated by risk and compliance concerns.
• The 2010s: Focused on incidents and breach response.
• The 2020s: A decade that, from the outset, was bound to be defined by execution.

We saw this coming through both data and direct fieldwork. Executives were beginning to accept the inevitability of cyberattacks and were prepared to invest significantly in long-term transformation. Naturally, they would expect execution in return—measurable protection for the business, not just spending and structure.

So, it’s not just 2025 that should be seen as the “year of accountability” for CISOs. In my opinion, the entire decade should carry that label. Yet, it’s disappointing to see so many discussions—like the article referenced above—stop at the investment decision, as if execution were a simple matter of budgets and headcount.

That couldn’t be further from the truth. Anyone who’s worked in cybersecurity long enough knows that.

Cybersecurity is deeply complex and inherently transversal. In large organizations especially, protecting the business cannot be reduced to technical solutions alone. It demands a cross-silo, organization-wide effort. Success in this area requires CISOs to influence far beyond their direct remit—across departments, regions, and business lines.

And that’s not something money alone can buy. It takes experience, strategic thinking, and above all, leadership—the ability to navigate complex politics, inspire confidence, and align people around a shared vision.

This brings me to the second article I mentioned (“How CISOs can forge the best relationships for cybersecurity investment” Rosalyn Page, CSOonline, January 8, 2025).

While the article rightly highlights the importance of business relationships for securing investment, I’d argue their value goes even deeper. These relationships are the foundation for building meaningful strategies and seeing them through.

Back in our “First 100 Days of the New CISO” series (2017/2018), we emphasized this exact point. The early days in the role are not about pushing a technical agenda, but about listening—to all stakeholders—and understanding the organization’s broader needs and constraints. Only through collaboration can a transformative strategy take shape.

That principle still holds true today.

Trust—not just money—is the real currency for CISOs. And trust is earned over time through a clear vision, alignment with business goals, and consistent delivery.

Yes, strong relationships may unlock investment. But more importantly, they create the only real platform for delivering long-term, transformative success in cybersecurity.

That’s the real challenge for CISOs this decade—and the real opportunity.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium

Why the Traditional Role of the CISO is Failing and How to Fix It

 

Recent surveys paint a stark picture of the CISO community—disillusioned, job-hopping, and locked in an endless struggle to justify cybersecurity needs to senior executives. Many find themselves trapped in a cycle of failed bottom-up initiatives, unable to drive real change in protecting their organizations from cyber threats.

This predicament is often seen as unavoidable, yet few analysts question how the cybersecurity industry ended up here—or how to break free from this ineffective model.

The Core Issue: Cybersecurity as a Technical Silo

For over two decades, businesses have treated cybersecurity as a purely technical discipline. Most CISOs today come from technical backgrounds, and their approach reflects this bias. They have long championed technology-driven, tool-based strategies that, for the most part, have failed to deliver meaningful results. Meanwhile, the pace of cyber threats continues to accelerate, fuelled by rapid technological and business evolution.

This reactive, firefighting approach has left many CISOs stuck in an operational loop, unable to develop the leadership and strategic skills necessary to engage effectively with the broader business community.

The Shifting Business Mindset

In contrast, business leaders have evolved. They now recognize the inevitability of cyberattacks and understand their devastating impact. The days of denial are over. What they expect now is effective execution—cybersecurity strategies that align with business priorities, not just technical solutions.

Yet, many CISOs fail to adapt to this shift. They focus their communication on “what” needs to be done but neglect the “how“—reducing execution to a matter of headcount and investment. This narrow perspective weakens their influence and fuels their growing frustration.

Cybersecurity as a Business Imperative

To break this cycle, cybersecurity must move beyond its technical confines. It must integrate across corporate silos—engaging not just IT but also business units, support functions, and an increasingly digital supply chain. For many organizations, this requires a cultural transformation, not just new tools.

Achieving this in large enterprises demands governance structures that foster collaboration, leadership gravitas, and, above all, trust from other executives. Unfortunately, too few CISOs have built these capabilities over the years, leaving them disconnected from broader business objectives.

A New Model for Cyber Leadership

The perpetual dissatisfaction among CISOs stems from their inability to drive meaningful transformation. They move from one job to another, yet the fundamental challenges remain unchanged. Organizations, in turn, replace outgoing CISOs with candidates from the same mold—replicating the problem rather than solving it.

A more effective approach is to restructure the role itself by splitting its responsibilities:

• Chief Security Officer (CSO): A senior, business-facing executive who is a visible part of the leadership team. This role should own and drive the cybersecurity agenda, regulatory compliance, business continuity, and resilience—ensuring security is embedded into the organization’s broader strategy.
• Chief Information Security Officer (CISO): A technical expert reporting to the CSO (or possibly the CIO), responsible for the IT and technical execution of the cybersecurity framework.

While regulatory challenges and personal liability concerns may complicate this shift in some regions, it remains a strategy worth exploring to break the current cycle of failure in cybersecurity leadership.

The bottom line? If businesses want real cybersecurity progress, they need to rethink the CISO role—and if CISOs want to thrive, they must evolve beyond their technical roots.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium

Executives don’t need another cybersecurity pitch. They need results.

The CISO Report 2025 from Splunk has sparked widespread discussion across cybersecurity media. The dominant narrative? CISOs are gaining more influence in the boardroom.

But beneath the headlines, familiar struggles persist. Many CISOs still face budget constraints, lack essential soft skills, and experience daily job dissatisfaction.

None of this is new. Most CISOs come from technical backgrounds, and the corporate boardroom—full of politics, strategy, and business priorities—isn’t their natural environment.

The Comfort Zone Trap

Having spent over 25 years in cybersecurity and a decade writing about leadership and governance, I’ve had countless conversations with security professionals about this challenge.

Even those who acknowledge cybersecurity as a business issue often retreat to their technical roots when faced with uncertainty. It’s their comfort zone. But in high-stakes executive discussions, this creates a disconnect. Without trust, CISOs struggle to influence decision-makers.

The fundamental issue? Cybersecurity is still seen as a technical discipline—when in reality, it never has been and never can be.

Logic vs. Business Reality

Many CISOs approach interactions with senior executives as a debate to be won through logic, data, and ROI calculations. They dismiss “fear, uncertainty, and doubt” as outdated and prefer a rational, numbers-driven approach.

But this is the wrong battle. The resistance they face isn’t rooted in a lack of understanding or logic—it’s driven by corporate short-termism and deep-seated cognitive biases.

Executives don’t need another PowerPoint explaining the risks. They already know cyberattacks are inevitable and can be catastrophic. They’ve seen it happen to competitors. Many have lived through crises themselves.

To them, cybersecurity isn’t an isolated concern—it’s just one of many threats to the business, alongside economic downturns, regulatory changes, and supply chain disruptions.

Breaking the Deadlock

Business leaders aren’t looking for CISOs to tell them what needs to be done. They want it done. And after two decades of rising cybersecurity budgets, they’re tired of hearing the same requests for more funding and grand transformation plans that never fully materialize.

CISOs must shift their focus from justifying security needs to proving they can deliver with the resources they have. Consistent, effective execution builds trust. And trust—not spreadsheets or scare tactics—is what unlocks greater influence, better budgets, and long-term success.

That’s the real engine CISOs should be building.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium

Cybersecurity ROI is a flawed metric—here’s what truly matters to business leaders.

The cost of data breaches is a recurring topic in the cybersecurity industry. But here’s the challenge: no two breaches are exactly alike. The impact varies based on factors such as the industry sector, the attack’s target, and the victim’s level of preparedness.

Some costs are easy to quantify—such as forensic investigations, legal and PR expenses, and customer support for affected users. However, many researchers take this analysis further, attempting to estimate business losses and reputational damage. That’s where the exercise turns into a guessing game.

Take the 2024 Cost of a Data Breach report by IBM and the Ponemon Institute. While it provides a detailed methodology, its fine print exposes significant flaws:

1. Inconsistent Comparisons: Year-on-year analysis is unreliable because sample groups change annually. Additionally, reported costs are estimated in local currencies and then converted to USD at fluctuating exchange rates.
2. Unverified Respondents: The survey relies on “security and C-suite business leaders with first-hand knowledge of data breaches” at their organizations. But their experience levels vary, and their estimates—especially for factors like “business disruption, lost customers, and reputational damage”—are highly subjective.

This doesn’t mean the data is useless. But drowning in pages of decimal-point calculations often leads to misleading conclusions.

So why do these reports keep resurfacing? They reflect a long-standing belief among some industry leaders and security vendors: that cybersecurity investments must be justified with ROI calculations.

The logic goes like this:

• Data breaches are inevitable.
• A breach could cost X.
• My product prevents breaches and costs Y (which is much less).
• Therefore, investing in my solution delivers a return of Z.

While compelling on paper, this argument has been used for over two decades—and it simply doesn’t work. The numbers are often arbitrary, no single solution can stop all cyber threats, and executives are bombarded with similar justifications across every department.

At this point, senior leaders don’t need to be convinced that cyber threats are serious. They already know breaches can be costly, even catastrophic. They also understand the potential legal and personal liabilities.

What they need is confidence in their organization’s ability to execute a strong cybersecurity strategy. They need assurance that the right leadership is in place.

Ultimately, the most valuable currency in cybersecurity isn’t money—it’s trust. That’s where CISOs should be focusing their efforts.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium