Posts categorized: Leadership

Leadership / June 22, 2025

Effective Cybersecurity Transformation Requires More Than Just Financial Investment

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

In a recent article, global cybersecurity expert and thought-leader JC Gaillard shared his insights on the complexities of cybersecurity transformation, emphasizing the importance of leadership, governance, and cultural change.

Through this conversation, JC Gaillard highlights that effective cybersecurity transformation is multifaceted, requiring more than just financial investment. It demands committed leadership, a cohesive culture, and a comprehensive strategy that aligns with the organization’s core business objectives.

In your article, you mention that increased budgets alone aren’t sufficient to enhance cybersecurity maturity. Could you elaborate on this?

Certainly. While it’s true that cybersecurity budgets are on the rise, this financial commitment doesn’t automatically translate to improved security postures. The core issue often lies in execution failures. Many organizations have historically approached cybersecurity as a purely technical challenge, delegating it to IT departments without addressing the broader organizational and cultural changes required. This narrow focus can lead to misaligned strategies and persistent vulnerabilities.

You emphasize the roles of the “What,” “How,” and “Who” in driving effective cybersecurity change. Can you explain their significance?

Absolutely.

**The “What”: This pertains to the specific actions and strategies an organization implements to bolster cybersecurity. While identifying these actions is crucial, it’s just the starting point.
**The “How”: This focuses on the methodology and processes employed to execute the identified strategies. It’s about ensuring that the implementation is effective, sustainable, and adaptable to evolving threats.
**The “Who”: This is perhaps the most critical aspect. It involves identifying the right individuals or teams responsible for driving and overseeing cybersecurity initiatives. Leadership commitment from the top echelons of the organization is essential. Without active involvement and ownership from senior leaders, cybersecurity efforts can become siloed and lack the necessary authority to enforce meaningful change.

Neglecting any of these dimensions can undermine the entire cybersecurity framework. For instance, even with a clear strategy (“What”) and a solid implementation plan (“How”), without the right leadership and accountability (“Who”), initiatives may falter due to a lack of direction or support.

How can organizations shift from a purely technical focus to a more holistic approach to cybersecurity?

The shift begins with leadership. Boards and senior executives must recognize that cybersecurity isn’t just an IT issue but a critical business imperative. This recognition should lead to the integration of cybersecurity into the organization’s core values and culture. Practical steps include:

Establishing Clear Governance Structures: Define roles and responsibilities across the organization to ensure accountability.
Fostering Cross-Departmental Collaboration: Encourage communication between IT, business units, and support functions to address cybersecurity challenges collectively.
Investing in Talent and Training: Develop internal capabilities by training existing staff and attracting new talent with diverse skill sets.
Continuous Evaluation and Adaptation: Regularly assess the effectiveness of cybersecurity measures and be willing to adapt strategies as threats evolve.

By embracing a comprehensive approach that encompasses leadership, culture, and technical measures, organizations can build resilient cybersecurity defences.

What role does organizational culture play in cybersecurity transformation?

Organizational culture is foundational to cybersecurity. A culture that prioritizes security will naturally encourage behaviours and practices that protect the organization. Conversely, if security is seen as merely a technical or compliance issue, it can lead to disengagement and risky behaviours. Leaders set the tone by:

Demonstrating Commitment: When employees see that leadership is genuinely invested in cybersecurity, they’re more likely to take it seriously.
Encouraging Open Communication: Creating an environment where employees feel comfortable reporting potential security issues without fear of retribution.
Integrating Security into Daily Operations: Making cybersecurity considerations a routine part of business processes rather than an afterthought.

Transforming organizational culture isn’t easy, but it’s essential for sustainable cybersecurity improvements.

In your view, what are the common pitfalls organizations face when attempting cybersecurity transformation?

One major pitfall is treating cybersecurity as a series of checkbox exercises aimed solely at compliance. This approach can lead to a false sense of security. Another issue is over-reliance on technology solutions without addressing underlying governance and process challenges. Additionally, failing to engage all relevant stakeholders—from top leadership to frontline employees—can result in fragmented efforts and overlooked vulnerabilities. A successful transformation requires a balanced focus on people, processes, and technology, underpinned by strong leadership and a supportive culture.

Finally, what advice would you offer to leaders embarking on cybersecurity transformation?

Start by acknowledging that cybersecurity is a strategic business issue, not just an IT concern. Engage with experts to assess your current posture and identify gaps. Prioritize building a culture of security within your organization, where every employee understands their role in protecting the company’s assets. Ensure that your strategies are adaptable, as the threat landscape is continually evolving. And most importantly, lead by example—demonstrate your commitment to cybersecurity through your actions and decisions.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Leadership / June 15, 2025

From Firefighting to Transformation: The CISO’s New Reality

Cybersecurity is finally getting board-level attention—but many CISOs are unprepared for the reality of what comes next.

For years, the cybersecurity narrative on social media has been dominated by tech vendors and misleading messages—focusing mostly on underfunding and the uphill battle to convince executives of the value of cybersecurity. That’s been the backdrop for as long as I’ve been writing these columns.

But in the real world, many CISOs are now facing a dramatically different reality.

Across boardrooms, the penny has dropped: Cyber-attacks are no longer a matter of “if” but “when.” This shift in mindset has fundamentally changed the dynamics for cybersecurity leaders. Conversations that used to start with “Why do we need to spend this?” now begin with “How much do we need to spend?”

This shift happens more often than one might think. It’s typically triggered by a high-profile incident, a near-miss, looming regulatory pressure, or simply a new executive who’s willing to ask uncomfortable questions.

For CISOs, this sudden elevation—from firefighter to transformational leader—can be as daunting as it is empowering. Often, it’s the same executives who once blocked investments now demanding fast results. Expectations skyrocket. Visibility increases. Execution is no longer optional—it’s assumed.

Yet execution remains deeply complex, especially in large organizations. Cybersecurity is inherently cross-functional. It requires coordination across silos, departments, and geographies—areas where large firms often struggle.

Many CISOs, having spent the last decade stuck in reactive mode with limited support, aren’t always equipped for this shift. A background in technology, while vital, doesn’t automatically prepare someone to lead large-scale organizational change.

The transformational CISO must possess more than technical chops. They need managerial skill, personal credibility, political awareness, and a deep understanding of how their business actually works. These traits carry far more weight than familiarity with the latest buzzwords—be it zero trust or quantum cryptography.

This mismatch between expectations and capabilities is a major contributor to burnout and short tenures in the field. Real transformation doesn’t happen in 18 months. And you don’t gain the experience needed to lead it by hopping jobs at every obstacle—no matter how attractive the salary.

Paradoxically, the urgency of transformation demands patience. CISOs must resist the urge to move too fast without the right leadership foundation. That’s often what causes both personal burnout and project failure.

Business leaders generally understand that complex change takes time. What they value most is honesty about what’s realistic.

The real key for CISOs lies in under-promising and over-delivering. Break the work into achievable steps. Celebrate and communicate early wins. Build trust along the way.

That trust—and the confidence it generates—will become the true driver of lasting, meaningful cybersecurity transformation.

Leadership / June 8, 2025

The Future of Cybersecurity Leadership: Breaking the CISO Deadlock

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

Cybersecurity is at a crossroads, and for many organizations, it’s not just a technical issue — it’s a leadership and cultural challenge.

To effectively address the growing threat of cyberattacks, businesses must rethink their cybersecurity strategy by elevating the CISO role and creating a more integrated, business-focused leadership structure. Without this transformation, companies risk remaining stuck in a cycle of reactive responses and missed opportunities.

In this interview with JC Gaillard, Founder and CEO of Corix Partners, we explore why the traditional CISO role has struggled to evolve and what needs to change.

Cybersecurity has been a significant challenge for many businesses. In your opinion, why is the current CISO role facing so many difficulties?

That’s a great question. For the past two decades, cybersecurity has predominantly been treated as a purely technical discipline. The current generation of CISOs is largely made up of technologists, and for them, it’s been about pushing a technology-driven agenda. But that’s created a disconnect. We’ve seen CISOs try to fix the problem from the bottom up — through tools and technology — but this has largely failed, leaving them stuck in a reactive mode, fighting cyberattacks instead of developing long-term strategies.

It sounds like the problem isn’t just about the technology, but about a deeper cultural and structural issue. Could you explain that more?

Exactly. It’s a cultural transformation, not just the implementation of new tools. Many business leaders have now recognized the inevitability of cyber-attacks and their devastating impact. But they expect cybersecurity to be executed effectively and efficiently across the business — not just in IT. The problem is that most CISOs are still stuck focusing on the “what” needs to be done, but they rarely focus on the “how” — the execution. That’s a big mistake. Cybersecurity has to be integrated into every part of the organization: business functions, support teams, and the growing digital supply chain.

So, it sounds like what’s missing is a broader vision of what cybersecurity should be. What’s your solution to this problem?

To break out of this cycle, you need to change how cybersecurity is governed. The CISO role, as it stands, can’t bridge the gaps between technology and business. What I propose is a split of the role. We need to elevate the cybersecurity leader to a more business-facing role, one that is part of the executive team. This new leader would drive the execution agenda across the business, ensuring compliance, reporting, and continuity. Meanwhile, the traditional CISO role should focus on the technical side — managing the IT aspects of cybersecurity.

That’s an interesting approach. But what do you see as the challenges in implementing this split in many organizations?

The biggest challenge, especially in some regions, is regulatory pressure and personal liabilities that CISOs face. It’s a risky move for many companies to split the role when they’re worried about compliance issues. But I truly believe this approach could break the current deadlock and stop the cycle of hiring and firing CISOs without achieving meaningful, long-term results. We need to build trust among the executive team and establish governance structures that go beyond just technical expertise.

It sounds like you’re advocating for a much more strategic and leadership-oriented role for cybersecurity, not just one focused on firefighting. What do you think needs to happen for companies to make this shift?

There’s a lot of work to be done, especially when it comes to changing the mindset around cybersecurity. Businesses need to understand that it’s not just an IT issue; it’s a core part of the business’s long-term health and success. Achieving this requires personal gravitas from the CISO and a willingness from executives to trust that person. But that shift can only happen if we stop thinking of cybersecurity as merely technical and start viewing it as a business priority that requires leadership, governance, and collaboration across the entire organization.

You mentioned earlier that many CISOs are dissatisfied with their roles and often switch jobs without making real changes. Why do you think that happens?

It’s all about the role’s limitations. CISOs are trapped in a cycle of failure because the expectations are misaligned. They’re hired to fix the cybersecurity issue, but because they are stuck in a purely technical space, they can’t address the bigger cultural and organizational gaps. They end up hopping from one job to another, but the issues they face are the same across companies. The leadership around cybersecurity needs to be restructured to be more impactful and forward-thinking.

It sounds like a real shift in how companies approach cybersecurity leadership is needed. How optimistic are you that businesses will embrace this change?

I’m cautiously optimistic. The need for transformation is obvious, and many business leaders are starting to see the bigger picture. While it may be difficult in some places due to regulatory constraints, the direction is clear. The cybersecurity landscape needs stronger leadership and more strategic thinking, and that change is necessary for companies to keep up with evolving threats. It’s not just about technology; it’s about governance and business integration. I believe we’re at a turning point, and with the right approach, we can break the current deadlock and make cybersecurity a real business enabler.

Leadership / June 1, 2025

Why Cybersecurity Fails in Big Business

Short-term thinking, broken project culture, and the missing link between CISOs and the C-suite

I’ve written at length over the past 10 years about the difficulties many large organizations face when it comes to cybersecurity—and particularly the persistent challenges in turning good intentions into effective action and business protection.

While the diagnosis is fairly consistent across many cases, there’s one important idea that bears repeating, because it frames the issue more broadly:

In organizations where accountability is weak, objectives are often vague or shifting, and success is measured primarily by quick wins, it’s hard for any project to reach its full potential—let alone one as complex and cross-functional as cybersecurity.

Cybersecurity initiatives rarely succeed in environments where projects in general struggle to deliver.

In traditional business initiatives, decisions about continuing or stopping a project are often made based on familiar criteria: return on investment, customer acquisition cost, time to market, or simply a change in strategic direction. Projects may be stopped or reframed—even when large sums of money have already been spent—because the organization has mechanisms in place to cut losses and reallocate focus.

Some organizations operate in a near-constant state of flux. New initiatives are launched while others are still underway; priorities are reset frequently. In high-growth environments, this can be seen as a form of dynamism. In more difficult contexts, it’s often a reflection of deeper structural challenges.

Whatever the underlying reason, the result is the same: an organizational climate where sustained focus is hard to achieve.

That matters for cybersecurity, because most meaningful initiatives in this space do not deliver immediate results. After years—sometimes decades—of underinvestment, shifting priorities, and narrow compliance-focused approaches, the work needed to build genuine maturity tends to be foundational, not superficial.

Quick wins may occasionally be possible, but they are rarely enough on their own.

In organizations where cybersecurity has long been deprioritized, transformation must start with business processes and people—not just technology. Tools matter, but without the right foundations, their impact will always be limited.

Unfortunately, many programs still begin with a focus on technology, and stall before they can reach deeper layers of change. Over time, this leads to growing technical debt, increased operational complexity, reliance on manual processes, and ultimately, strain on teams and leadership.

To change this trajectory, organizations need to adopt a longer-term view. Prioritizing process and people—and building from there—requires patience, alignment, and sustained support.

It also requires a broader understanding of what good cybersecurity leadership looks like. Beyond technical expertise, CISOs need the ability to navigate organizational dynamics, influence stakeholders, and lead with credibility across different parts of the business.

But even the most capable CISO cannot drive change alone. To succeed, they need active, visible backing from senior leaders—champions who understand the importance of the security agenda and are willing to support it consistently, over time.

This combination—a business-savvy CISO with leadership presence, and a senior executive sponsor who brings weight and continuity—is often what makes the difference.

It is only in environments where such partnerships exist, that transformation can become not only possible, but sustainable.

Leadership / May 11, 2025

From Risk to Reality: The Board’s New Cyber Mandate

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

As cyber threats grow more sophisticated and relentless, Boards of Directors can no longer afford to treat cybersecurity as a technical issue buried in the IT department.

JC Gaillard — long-time cybersecurity strategist and founder of Corix Partners — has been calling for a fundamental shift in how Boards engage with cyber risk for nearly a decade.

In this conversation, he lays out why it’s time for directors to move beyond checklists and crisis reactions, and start treating cybersecurity as a core element of business survival — one rooted in leadership, accountability, and real-world understanding.

You’ve been writing about the Board’s role in cybersecurity for nearly a decade. Why has this topic remained so important to you?

Because the discussion keeps getting framed in oversimplified ways. There’s no “one-size-fits-all” answer to how Boards should engage with cybersecurity. The landscape is shaped by too many variables — economic context, industry threats, company history, and maturity levels. Yet we still see governance approaches that are either reactive or superficial. Boards need to move beyond compliance checklists and start thinking of cybersecurity as a core element of business protection.

What’s the biggest misconception Boards tend to have?

Many still treat cybersecurity as a technical issue that can be delegated downward, or as a risk that might or might not materialize. But in the current environment — where threats are constant — that mindset is outdated. It’s no longer about “if,” it’s about “when.” The Board has to own the business protection agenda and ensure it is grounded in real-world awareness, not just hypothetical risk models.

You’ve previously written about the Board’s response to high-profile breaches, like the TalkTalk breach in the UK in 2016, and again after WannaCry and NotPetya in 2019. How has your thinking evolved since then?

Those earlier pieces focused on how Boards react in the aftermath of major incidents. In crisis mode, Boards tend to have a clearer agenda — it’s easier to act when something has gone wrong. But that approach isn’t sustainable. In my 2022 piece, I challenged the idea that Boards can afford to remain passive until a breach occurs. They must take proactive ownership, even when there’s no immediate crisis.

How should Boards begin that proactive ownership?

First, by building a meaningful understanding of the threat landscape — not just in abstract terms, but in terms specific to their business: Who might target them? Why? With what level of sophistication? What systems or data would be attractive to attackers? If that knowledge doesn’t exist in the Boardroom, it must be brought in — either through independent directors or trusted advisors. But it needs to be expressed in language the Board understands, not just technical jargon.

And what about executive accountability?

That’s absolutely critical. The Board must establish clear, unequivocal accountability for cybersecurity at the executive level. Not buried three levels down in IT, but in the C-suite. And that accountability should be tied to remuneration and performance metrics. It’s no longer acceptable to wheel in the CISO twice a year after something has gone wrong or just to tick a compliance box. The conversation needs to be continuous and strategic.

What should that Board-executive dialogue look like in practice?

It should be grounded in the company’s historical experience with cyber threats. Every large organization has had incidents or near-misses by now. Boards should ask: What lessons were learned? Was the response adequate? Are we funding the right capabilities? Are we thinking in the right timeframes — especially when long-term change is needed? That’s how you avoid repeating mistakes and ensure resilience over time.

You’ve deliberately avoided using the word “risk” in some of your writing. Why?

Because “risk” implies uncertainty — things that may or may not happen. But in today’s landscape, the threat is constant. Framing cybersecurity as “risk” encourages a mindset of mitigation, transfer, or acceptance. We need to talk instead about business protection — about securing what matters in a world where threats are already present. It’s a deeper, more grounded way to engage.

So what’s your core message to Boards today?

Stop treating cybersecurity as someone else’s problem. Take ownership. Get the right knowledge into the room. Hold your executives accountable. And engage with cybersecurity as a strategic business imperative — not just a compliance exercise. It’s time to step up, because in today’s world, this is about survival and long-term trust.

Leadership / May 4, 2025

Tool Fatigue: Cybersecurity’s Dirty Secret

Behind the AI hype and vendor noise lies an unsustainable security mess.

Every year, as conference season approaches, I find myself struck by the sheer volume of cybersecurity products, services, and vendors crowding the market.

I’ve been writing about this trend since 2019, and if anything, the landscape has only become more fragmented. Despite expectations, there’s still no meaningful consolidation on the horizon — and that’s a red flag. A market this crowded isn’t necessarily a sign of innovation; it may be a sign of dysfunction.

The situation has worsened in recent years as countless startups have jumped aboard the AI bandwagon. While many vendors seem successful — at least in attracting investor dollars — that success is often driven more by a surge in cyber-attacks and the hype around AI than by actual market demand.

Which brings me to a fundamental question: Who is buying all these tools?

There will always be a “box-checking” market. Some tools are purchased to satisfy audit requirements or prepare for regulatory inspections — often with little to no scrutiny or competitive evaluation. That segment is alive and well.

But other areas — like Governance, Risk & Compliance (GRC) and Identity & Access Management (IAM) — are becoming painfully overcrowded. In these saturated segments, how does a vendor stand out without a clear, credible, and differentiated message? Scaling a product in this environment is nearly impossible without a sharply defined value proposition.

Worse still, many vendors fail to articulate the business problem they’re solving. Their marketing materials are often packed with technical jargon, intelligible only to those deep inside a narrow specialty. It’s as if these tools are designed by technologists for technologists, with little thought given to the broader business context.

As a result, these solutions are usually purchased in isolation — point solutions acquired by individual team leaders to solve narrow problems. But collectively, they’ve led to a bloated, chaotic cybersecurity landscape in many large enterprises, where dozens of tools are deployed with little integration or strategy.

The consequences are serious:

Security operations are fragmented.
Compliance and incident response become manual and inefficient.
Costs rise as more human effort is needed to bridge gaps between tools.
Automation and integration remain elusive.

This tool sprawl contributes directly to the skills gap plaguing the industry. Without streamlining, scaling operations to meet growing threats becomes virtually impossible.

This is the harsh reality behind all those flashy trade show booths: Even if individual tools serve a purpose, their unchecked accumulation has made it nearly impossible for enterprises to respond effectively and efficiently to evolving threats.

Buying more tools won’t help — not unless something fundamental changes.

What’s needed is a strategic shift. Cybersecurity teams must stop addressing each problem in isolation and start building coherent, streamlined, and integrated security ecosystems. This is where the CISO’s leadership is critical.

CISOs must define a clear product vision and roadmap, prioritize simplification, and lead the charge in decluttering their organizations’ cybersecurity stacks. Automation should be central to this effort — but only if it’s paired with a ruthless focus on rationalization.

This mindset is more essential than ever as AI-based solutions proliferate. Without it, we’re simply adding to the chaos.

Leadership / April 27, 2025

Why the Board Needs to Learn Cyber Too: Rethinking the CISO Conversation

It’s time to stop blaming CISOs for poor communication—and start redesigning boardroom dynamics.

You don’t have to search far online or on social media to find articles discussing the difficulties CISOs face when engaging with the Board. Most of them repeat the same familiar refrain: CISOs don’t speak the language of the business and need to learn it. According to this view, better communication hinges on CISOs adapting their style to meet executive expectations, explaining their work in commercial terms, and making their teams’ value clear.

But to me, this argument is a legacy of two decades of failed bottom-up thinking in cybersecurity. It’s time to rethink the model. If the goal is truly effective board-level engagement, new dynamics need to be introduced—ones that shift responsibility onto both parties, not just the CISO.

First, let’s recognize that most Boards no longer need convincing that cybersecurity matters. That conversation is over. What they do need is a clear understanding of the specific and evolving threats their organizations face—and how those threats intersect with operational realities and strategic goals.

This requires more than a token appearance from the CISO once or twice a year. That may tick a compliance box, but it won’t build the trust or familiarity required for meaningful dialogue.

CISOs are, by and large, technologists by background. There’s nothing wrong with that; in fact, it reflects the origins and evolution of the CISO role since it first emerged in the 1990s. While many CISOs have grown into broader corporate responsibilities, their strengths often remain in the technical domain, not in navigating the political and strategic complexities of the boardroom.

Boardrooms, meanwhile, are inherently political environments, full of competing priorities, shifting agendas, and complex personalities. Without understanding these dynamics—or the broader context of what’s happening at the top of the business—even the most well-prepared CISO will struggle to connect their message to what matters most at that level.

External experts or non-executive directors may offer general knowledge and risk context, but only the CISO can provide a grounded view of the firm’s actual security posture. The catch? They can only do this effectively if the Board gives them the context they need to tailor that input to the moment.

This goes far beyond the oft-repeated call to “align cyber strategy with business strategy.” What’s needed is an ongoing alignment of execution—across the strategic lifecycle of the business. And that lifecycle is constantly shifting due to mergers, acquisitions, leadership changes, market dynamics, technological evolution, and global disruptions.

For Board-level conversations about cybersecurity to be truly valuable, they need to reflect this complexity. Cybersecurity is, by nature, a cross-functional and evolving challenge. That’s why I believe Boards would benefit from embedding a broader role—one that spans all aspects of business protection and compliance—at the executive level.

A “Chief Security Officer” (CSO), positioned at the top of the organization, could be pivotal in reshaping corporate engagement around cybersecurity. This role would relieve CISOs of reporting burdens for which they are often ill-equipped, allowing them to focus on the technical and operational aspects where they add the most value.

Meanwhile, having a peer at the Board table—a CSO who understands both security and corporate dynamics—would help foster better communication and build the trust needed for productive dialogue.

If companies are serious about addressing the CISO–Board disconnect, it’s time to stop asking CISOs to perform impossible tasks. Instead, they should rewire the conversation—and the structure—so both sides can meet halfway.

Leadership / April 20, 2025

From Firefighting to Fortitude: Why Cybersecurity Needs a Seat at the Strategy Table

After years of crisis-driven reaction, it’s time for business leaders to embed protection into the core of strategy—or risk losing more than just data.

Since the onset of the Covid-19 pandemic in 2020, cybersecurity—much like business at large—has been caught in a relentless storm of short-term crises and tactical responses.

First came the pandemic itself, forcing organizations to rapidly scale remote work, secure new digital perimeters, and battle a surge in cyberattacks—all under the weight of global uncertainty.

Then followed the aftermath, marked by geopolitical tensions, disrupted supply chains, and a sharp rise in sophisticated ransomware attacks targeting virtually every sector.

And finally, the generative AI explosion, kicked off by the release of ChatGPT in late 2022, triggered a new wave of shadow IT. The scale and speed of its adoption have dwarfed even the cloud computing boom of 15 years ago—unleashing more complexity, more risk, and more confusion.

Alongside these systemic shifts, isolated but impactful incidents added fuel to the fire:

The CrowdStrike episode in mid-2024—not strictly a cybersecurity breach, but a wake-up call on crisis management and business continuity.
Rising political and fiscal instability across key economies like France, the UK, and the U.S.
And the ongoing specter of geopolitical volatility, creating a perpetual sense of instability.

Much of this was neither predictable nor preventable. Cybersecurity, like many functions, tends to mirror broader business cycles. But in doing so, many security leaders—particularly CISOs—have found themselves stuck in a perpetual firefighting mode, unable to push toward true maturity.

This reactive posture has only worsened long-standing challenges in the cybersecurity space, reinforcing the so-called “spiral of failure” that’s plagued the industry for two decades. It’s also inviting increased regulatory scrutiny, a market reaction to repeated breaches and the perceived inadequacy of business responses.

Despite all this, many companies still show no real signs of a long-term strategy. Compliance is treated as a checkbox. Cybersecurity is siloed under IT. Risk is compartmentalized instead of being integrated across the enterprise.

But the nature of risk has changed. The interconnectedness of modern business—made even more intense by pandemic-driven digitization—means that cyber threats can no longer be contained within traditional silos. Incidents like CrowdStrike’s have shown us that cybersecurity now underpins business continuity.

And that means the response must be strategic, cross-functional, and led from the top.

Right now, we’re stuck in a loop of tactical responses. Everyone talks about “resilience,” but the term has become vague—more consultant-speak than operational reality. At best, it answers the “what” of change. Rarely does it address the “how.”

Here’s how: Businesses must embed protection as a core ethical pillar of strategy.

This isn’t just about compliance. It’s about ensuring the business can function under stress, maintaining digital trust, and safeguarding brand equity and shareholder value over the long haul.

Yes, it’s a shift. But it’s also common sense.

Good leadership today means championing business protection from the top—and embedding it into the culture at every level. Because in the digital age, security is no longer a technical concern. It’s a strategic imperative.

Leadership / April 13, 2025

For CISOs, true influence comes from execution, not just investment

Stop Chasing Budget—Start Earning Trust

Two articles crossed my desk in early 2025 that highlight themes I’ve been advocating for over five years—ideas that now demand a broader perspective.

The first, based on Forrester research, labels 2025 as the “year of fiscal accountability” for CISOs, noting that boards increasingly expect clear returns on cybersecurity investments. (“Forrester on cybersecurity budgeting: 2025 will be the year of CISO fiscal accountability” Louis Columbus, VentureBeat, December 30, 2024.)

This aligns closely with what we’ve been saying since 2019 at the Security Transformation Research Foundation. Our research on the evolution of cybersecurity has tracked a clear shift in priorities since the late 1990s, when the field began gaining traction in the business world.

In our view, the 21st century’s cybersecurity journey can be divided into three distinct eras:

The 2000s: Dominated by risk and compliance concerns.
The 2010s: Focused on incidents and breach response.
The 2020s: A decade that, from the outset, was bound to be defined by execution.

We saw this coming through both data and direct fieldwork. Executives were beginning to accept the inevitability of cyberattacks and were prepared to invest significantly in long-term transformation. Naturally, they would expect execution in return—measurable protection for the business, not just spending and structure.

So, it’s not just 2025 that should be seen as the “year of accountability” for CISOs. In my opinion, the entire decade should carry that label. Yet, it’s disappointing to see so many discussions—like the article referenced above—stop at the investment decision, as if execution were a simple matter of budgets and headcount.

That couldn’t be further from the truth. Anyone who’s worked in cybersecurity long enough knows that.

Cybersecurity is deeply complex and inherently transversal. In large organizations especially, protecting the business cannot be reduced to technical solutions alone. It demands a cross-silo, organization-wide effort. Success in this area requires CISOs to influence far beyond their direct remit—across departments, regions, and business lines.

And that’s not something money alone can buy. It takes experience, strategic thinking, and above all, leadership—the ability to navigate complex politics, inspire confidence, and align people around a shared vision.

This brings me to the second article I mentioned (“How CISOs can forge the best relationships for cybersecurity investment” Rosalyn Page, CSOonline, January 8, 2025).

While the article rightly highlights the importance of business relationships for securing investment, I’d argue their value goes even deeper. These relationships are the foundation for building meaningful strategies and seeing them through.

Back in our “First 100 Days of the New CISO” series (2017/2018), we emphasized this exact point. The early days in the role are not about pushing a technical agenda, but about listening—to all stakeholders—and understanding the organization’s broader needs and constraints. Only through collaboration can a transformative strategy take shape.

That principle still holds true today.

Trust—not just money—is the real currency for CISOs. And trust is earned over time through a clear vision, alignment with business goals, and consistent delivery.

Yes, strong relationships may unlock investment. But more importantly, they create the only real platform for delivering long-term, transformative success in cybersecurity.

That’s the real challenge for CISOs this decade—and the real opportunity.

Leadership / April 6, 2025

The CISO Dilemma: Breaking Free from the Cybersecurity Deadlock

Why the Traditional Role of the CISO is Failing and How to Fix It

Recent surveys paint a stark picture of the CISO community—disillusioned, job-hopping, and locked in an endless struggle to justify cybersecurity needs to senior executives. Many find themselves trapped in a cycle of failed bottom-up initiatives, unable to drive real change in protecting their organizations from cyber threats.

This predicament is often seen as unavoidable, yet few analysts question how the cybersecurity industry ended up here—or how to break free from this ineffective model.

The Core Issue: Cybersecurity as a Technical Silo

For over two decades, businesses have treated cybersecurity as a purely technical discipline. Most CISOs today come from technical backgrounds, and their approach reflects this bias. They have long championed technology-driven, tool-based strategies that, for the most part, have failed to deliver meaningful results. Meanwhile, the pace of cyber threats continues to accelerate, fuelled by rapid technological and business evolution.

This reactive, firefighting approach has left many CISOs stuck in an operational loop, unable to develop the leadership and strategic skills necessary to engage effectively with the broader business community.

The Shifting Business Mindset

In contrast, business leaders have evolved. They now recognize the inevitability of cyberattacks and understand their devastating impact. The days of denial are over. What they expect now is effective execution—cybersecurity strategies that align with business priorities, not just technical solutions.

Yet, many CISOs fail to adapt to this shift. They focus their communication on “what” needs to be done but neglect the “how“—reducing execution to a matter of headcount and investment. This narrow perspective weakens their influence and fuels their growing frustration.

Cybersecurity as a Business Imperative

To break this cycle, cybersecurity must move beyond its technical confines. It must integrate across corporate silos—engaging not just IT but also business units, support functions, and an increasingly digital supply chain. For many organizations, this requires a cultural transformation, not just new tools.

Achieving this in large enterprises demands governance structures that foster collaboration, leadership gravitas, and, above all, trust from other executives. Unfortunately, too few CISOs have built these capabilities over the years, leaving them disconnected from broader business objectives.

A New Model for Cyber Leadership

The perpetual dissatisfaction among CISOs stems from their inability to drive meaningful transformation. They move from one job to another, yet the fundamental challenges remain unchanged. Organizations, in turn, replace outgoing CISOs with candidates from the same mold—replicating the problem rather than solving it.

A more effective approach is to restructure the role itself by splitting its responsibilities:

Chief Security Officer (CSO): A senior, business-facing executive who is a visible part of the leadership team. This role should own and drive the cybersecurity agenda, regulatory compliance, business continuity, and resilience—ensuring security is embedded into the organization’s broader strategy.
Chief Information Security Officer (CISO): A technical expert reporting to the CSO (or possibly the CIO), responsible for the IT and technical execution of the cybersecurity framework.

While regulatory challenges and personal liability concerns may complicate this shift in some regions, it remains a strategy worth exploring to break the current cycle of failure in cybersecurity leadership.

The bottom line? If businesses want real cybersecurity progress, they need to rethink the CISO role—and if CISOs want to thrive, they must evolve beyond their technical roots.