Posts categorized: Leadership

Leadership / December 18, 2025

Beyond the Cybersecurity Soundbites

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

JC Gaillard is one of the cybersecurity field’s most incisive and outspoken thought-leaders, challenging the industry to rethink long-standing assumptions that have outlived their usefulness.

In a pair of influential Forbes Business Council articles this year, JC first debunked deeply entrenched cybersecurity clichés that skew leaders’ perceptions of risk and readiness, and more recently called for a fresh round of challenges to the very narratives that have blinded organisations to real threats and structural failures.

Rather than settling for comforting slogans, he argues that business and security leaders must confront the cultural and governance gaps that continue to handicap even well-funded programmes.

His work cuts through the noise to focus squarely on execution, accountability, and organisational transformation as the real levers of cyber resilience — themes that are central to the candid insights he shares in this interview.

Many organisations claim to have made significant investments in cybersecurity over the last decade, yet breaches and operational failures continue. From your perspective, what is fundamentally going wrong?

What I see, time and again, is that organisations often endorse a narrative that simply doesn’t reflect today’s organisational realities behind cybersecurity.
For years, many CISOs have relayed simplified slogans—security as a business enabler, security is everyone’s responsibility, CISOs must speak the language of the business. They may sound modern, but they are often shallow. They obfuscate fundamental cultural issues, governance gaps, or the inability of large organisations to execute across silos.
The result is that many CISOs talk a good game about cybersecurity, but still struggle with the basics—identity management, patching, operating model clarity, accountability. And those basics are what attackers exploit.

You’ve argued that parts of the industry are trapped in clichés that no longer help business leaders. Why do these narratives persist, and why are they so damaging at executive level?

They persist because they’re simple, marketable, and comfortable. Take the idea that “cybersecurity enables the business.” It was created in an attempt to secure executive support when threats were perceived as remote. But today, cyber-risk is immediate, material, and strategic. Positioning security as an enabler no longer makes sense when the real challenge is protecting the core of the business from real and active threats.
Similarly, saying that “security is everybody’s responsibility” dilutes accountability. It becomes very easy for leaders to assume that another function—or the CISO—will take ownership. That mindset leads to stagnation.
These clichés are damaging because they prevent honest conversation. They obscure the hard truth: cybersecurity succeeds when leadership drives culture, governance, and execution from the top.

Many CISOs believe that lack of investment is the main reason why security maturity stagnates. But you’ve suggested a different diagnosis. Could you elaborate?

Underinvestment does exist in some firms, but it’s not the primary reason maturity stagnates.
What I see is a cycle of execution failure:

Complex, cross-functional initiatives don’t progress fast enough, or don’t go beyond alleged quick-wins.
Executives lose confidence because they don’t see results.
That loss of trust drives lower investment.
Which further undermines capability and momentum.

This is what I call the “cybersecurity spiral of failure.” In most cases, the real constraint is not the budget—it’s the organisation’s ability to deliver, maintain, and scale cross-silo foundational controls. That requires leadership alignment, clear accountability, and a cultural shift around ownership. Money alone cannot fix that.

Let’s talk about the relationship between the CISO and the business. We often hear that security leaders need to “speak the language of the business.” Do you think this is still relevant?

Not in the way it’s typically presented. Business leaders today already understand cyber-risk. They see regulatory pressure, operational disruptions, and brand damage. They don’t need convincing that cybersecurity matters.
What they need is execution they can trust. The idea that CISOs must learn to “translate technical risk into business language” is often a distraction from the real issue: why did previous programmes fail to deliver? Where are the organisational bottlenecks? How can cyber activities be embedded into normal business operations?
The best CISOs today spend less time “speaking the language of the business” and more time listening to business leaders, understanding their priorities, and building trust around delivery and governance.

Culture seems to be a recurring theme in your writing. From a leadership perspective, what does a healthy cybersecurity culture actually look like?

A healthy culture is not created by awareness campaigns or compliance training. It starts with leadership demonstrating that protecting the business is a shared value—not a delegated task.
People don’t change behaviour because they were told to click less or read more policies. They change because they care about the organisation, because the tone from the top is clear, and because accountability is transparent.
The “human firewall” is not a training problem—it’s a cultural and leadership problem. Unless people see executives taking cybersecurity seriously, embedding it into decisions, and allocating real ownership, behavioural change won’t happen.

If you had to give one piece of advice to CEOs or board members seeking to break out of this stagnation, what would it be?

Make cybersecurity part of the organisation’s cultural backbone.

When business leaders take ownership in that way, cyber programmes stop being reactive, superficial, or cyclical—and start becoming truly transformative.

Establish clear ownership and accountability around cybersecurity and treat it, not as a technology issue, but as an organisational transformation challenge.

And look beyond dated narratives or consultant jargon: Evaluate cyber leaders not on what they say about security, but on what they actually deliver.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Leadership / November 4, 2025

The New Playbook for Cyber Leadership: Inside the First 100 Days of the CISO

An interview with global cybersecurity thought-leader JC Gaillard on his new book: “The First 100 Days of the New CISO – A Leadership Guide to Lasting Impact”

Why did you feel the need to write this book now?

Over fifteen years of advising C-level executives across global organisations, I kept seeing the same pattern. Success or failure in the CISO role had very little to do with technology, and everything to do with leadership behaviour, and a lot of that is defined or structured in the first 100 days. Yet too much of the guidance available to CISOs today remains reactive, technology-centric, or fear-driven. I started reflecting and writing on this in 2017, and eventually I am now releasing this book because I feel the industry needs a leadership guide on that matter—not another technical manual. The CISO role has changed a lot over the past two decades, and the old playbook no longer applies. We are in a new era, the “when-not-if” era around cyberattacks and the expectations of senior executives around the role of the CISO have changed dramatically: We need a new approach.

Your book’s title implies that the first 100 days define a CISO’s long-term impact. What makes this window so critical?

The first 100 days are when the organisation forms its judgment—not about your technical expertise, but about YOU: Your credibility, your leadership tone, and your ability to align with the business and drive change, if that’s what’s needed. If you spend that time reacting, firefighting, or trying to prove yourself through febrile activity, you run the risk of ending up trapped in an operational box. If you use it to listen, set rhythm, and build trust, you will position yourself as a strategic leader. The first 100 days are not about speed—they’re about understanding, structuring and sequencing.

In its first half, the book introduces a specific framework around the first 100 days. Can you explain this in simple terms?

It breaks the first 100 days into three leadership phases: the first six days, six weeks, and six months. The first six days are about observation—listening deeply to understand culture, power dynamics, and decision-making. The next six weeks are about alignment—structuring governance, clarifying priorities, and beginning to control the narrative. The next six months are about embedding and structuring execution—delivering quietly, institutionalising rhythm, and building maturity into the organisation. More than a framework, this is really a leadership rhythm.

You reject the common advice that new CISOs should aim for “quick wins”. Why?

Quick wins may feel productive, but they are often politically and strategically damaging. They often create activity without context, and they risk positioning the CISO as a tactical operator rather than a strategic leader. Credibility and trust should always precede change. A CISO who acts before understanding fully the organisational dynamics is likely to create resistance. Influence is not earned through noise, but through proportion and trust.

You frame cybersecurity primarily as a leadership and governance challenge, not a technical one. Why is that important?

Technology is only ever an enabler. The root causes of cybersecurity failure are rarely technical; they are managerial in essence—poor governance, unclear accountability, misaligned risk appetite, weak culture. Until CISOs embrace their role as leaders of organisational behaviour and governance, not just technology stack owners, they will never unlock long-term impact.

In its second half, the book shifts into how CISOs build sustainable influence beyond the first six months. What changes at that point?

Once you have established credibility and rhythm, your leadership posture must evolve. You need to move from driver to steward, from initiating change to sustaining it. This is where governance becomes architecture, culture becomes reinforcement, and resilience becomes strategic advantage. The real test of maturity is whether the organisation performs without your constant intervention.

You talk a lot about trust as a measurable asset. How does a CISO create trust at executive level?

Trust is not built through technical detail; it’s built through narrative and consistency. Boards and CEOs want clarity, proportion, confidence and quiet, reliable execution—not alarmism. CISOs build trust when they speak the language of enterprise value, when they demonstrate control without drama, when they get things done, and when they show that cybersecurity is being managed as a structured business function, not a series of technical projects.

What is the single biggest misconception about the CISO role today?

That the job is primarily about preventing breaches. In the “when-not-if” era, breaches are probably unavoidable, so the role has to go beyond that. The real job is about ensuring the organisation can operate with confidence despite risk. That means building resilience, governance alignment, cultural buy-in, and strategic credibility in terms of operations and delivery.

What do you hope this book will change in the industry?

I want to shift the conversation from technology, tools and incidents to leadership and maturity. That’s at the core of what I have been writing and speaking about over the past ten years. If this book helps one CISO move from firefighting mode to strategic influence—if it helps one board understand that cybersecurity is a management discipline, not a technical hobby—then it will have achieved its purpose.

If you had to summarise your message in a single sentence?

Your first 100 days as CISO are not about proving what you know—they are about showing who you are as a leader. Success in the first 100 days lies not in speed, but in humility, discipline, proportion and structure: That’s the way to build trust with business leaders and the pathway to lasting impact.

French and British national, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Leadership / June 22, 2025

Effective Cybersecurity Transformation Requires More Than Just Financial Investment

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

In a recent article, global cybersecurity expert and thought-leader JC Gaillard shared his insights on the complexities of cybersecurity transformation, emphasizing the importance of leadership, governance, and cultural change.

Through this conversation, JC Gaillard highlights that effective cybersecurity transformation is multifaceted, requiring more than just financial investment. It demands committed leadership, a cohesive culture, and a comprehensive strategy that aligns with the organization’s core business objectives.

In your article, you mention that increased budgets alone aren’t sufficient to enhance cybersecurity maturity. Could you elaborate on this?

Certainly. While it’s true that cybersecurity budgets are on the rise, this financial commitment doesn’t automatically translate to improved security postures. The core issue often lies in execution failures. Many organizations have historically approached cybersecurity as a purely technical challenge, delegating it to IT departments without addressing the broader organizational and cultural changes required. This narrow focus can lead to misaligned strategies and persistent vulnerabilities.

You emphasize the roles of the “What,” “How,” and “Who” in driving effective cybersecurity change. Can you explain their significance?

Absolutely.

**The “What”: This pertains to the specific actions and strategies an organization implements to bolster cybersecurity. While identifying these actions is crucial, it’s just the starting point.
**The “How”: This focuses on the methodology and processes employed to execute the identified strategies. It’s about ensuring that the implementation is effective, sustainable, and adaptable to evolving threats.
**The “Who”: This is perhaps the most critical aspect. It involves identifying the right individuals or teams responsible for driving and overseeing cybersecurity initiatives. Leadership commitment from the top echelons of the organization is essential. Without active involvement and ownership from senior leaders, cybersecurity efforts can become siloed and lack the necessary authority to enforce meaningful change.

Neglecting any of these dimensions can undermine the entire cybersecurity framework. For instance, even with a clear strategy (“What”) and a solid implementation plan (“How”), without the right leadership and accountability (“Who”), initiatives may falter due to a lack of direction or support.

How can organizations shift from a purely technical focus to a more holistic approach to cybersecurity?

The shift begins with leadership. Boards and senior executives must recognize that cybersecurity isn’t just an IT issue but a critical business imperative. This recognition should lead to the integration of cybersecurity into the organization’s core values and culture. Practical steps include:

Establishing Clear Governance Structures: Define roles and responsibilities across the organization to ensure accountability.
Fostering Cross-Departmental Collaboration: Encourage communication between IT, business units, and support functions to address cybersecurity challenges collectively.
Investing in Talent and Training: Develop internal capabilities by training existing staff and attracting new talent with diverse skill sets.
Continuous Evaluation and Adaptation: Regularly assess the effectiveness of cybersecurity measures and be willing to adapt strategies as threats evolve.

By embracing a comprehensive approach that encompasses leadership, culture, and technical measures, organizations can build resilient cybersecurity defences.

What role does organizational culture play in cybersecurity transformation?

Organizational culture is foundational to cybersecurity. A culture that prioritizes security will naturally encourage behaviours and practices that protect the organization. Conversely, if security is seen as merely a technical or compliance issue, it can lead to disengagement and risky behaviours. Leaders set the tone by:

Demonstrating Commitment: When employees see that leadership is genuinely invested in cybersecurity, they’re more likely to take it seriously.
Encouraging Open Communication: Creating an environment where employees feel comfortable reporting potential security issues without fear of retribution.
Integrating Security into Daily Operations: Making cybersecurity considerations a routine part of business processes rather than an afterthought.

Transforming organizational culture isn’t easy, but it’s essential for sustainable cybersecurity improvements.

In your view, what are the common pitfalls organizations face when attempting cybersecurity transformation?

One major pitfall is treating cybersecurity as a series of checkbox exercises aimed solely at compliance. This approach can lead to a false sense of security. Another issue is over-reliance on technology solutions without addressing underlying governance and process challenges. Additionally, failing to engage all relevant stakeholders—from top leadership to frontline employees—can result in fragmented efforts and overlooked vulnerabilities. A successful transformation requires a balanced focus on people, processes, and technology, underpinned by strong leadership and a supportive culture.

Finally, what advice would you offer to leaders embarking on cybersecurity transformation?

Start by acknowledging that cybersecurity is a strategic business issue, not just an IT concern. Engage with experts to assess your current posture and identify gaps. Prioritize building a culture of security within your organization, where every employee understands their role in protecting the company’s assets. Ensure that your strategies are adaptable, as the threat landscape is continually evolving. And most importantly, lead by example—demonstrate your commitment to cybersecurity through your actions and decisions.

French and British national, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Leadership / June 15, 2025

From Firefighting to Transformation: The CISO’s New Reality

Cybersecurity is finally getting board-level attention—but many CISOs are unprepared for the reality of what comes next.

For years, the cybersecurity narrative on social media has been dominated by tech vendors and misleading messages—focusing mostly on underfunding and the uphill battle to convince executives of the value of cybersecurity. That’s been the backdrop for as long as I’ve been writing these columns.

But in the real world, many CISOs are now facing a dramatically different reality.

Across boardrooms, the penny has dropped: Cyber-attacks are no longer a matter of “if” but “when.” This shift in mindset has fundamentally changed the dynamics for cybersecurity leaders. Conversations that used to start with “Why do we need to spend this?” now begin with “How much do we need to spend?”

This shift happens more often than one might think. It’s typically triggered by a high-profile incident, a near-miss, looming regulatory pressure, or simply a new executive who’s willing to ask uncomfortable questions.

For CISOs, this sudden elevation—from firefighter to transformational leader—can be as daunting as it is empowering. Often, it’s the same executives who once blocked investments now demanding fast results. Expectations skyrocket. Visibility increases. Execution is no longer optional—it’s assumed.

Yet execution remains deeply complex, especially in large organizations. Cybersecurity is inherently cross-functional. It requires coordination across silos, departments, and geographies—areas where large firms often struggle.

Many CISOs, having spent the last decade stuck in reactive mode with limited support, aren’t always equipped for this shift. A background in technology, while vital, doesn’t automatically prepare someone to lead large-scale organizational change.

The transformational CISO must possess more than technical chops. They need managerial skill, personal credibility, political awareness, and a deep understanding of how their business actually works. These traits carry far more weight than familiarity with the latest buzzwords—be it zero trust or quantum cryptography.

This mismatch between expectations and capabilities is a major contributor to burnout and short tenures in the field. Real transformation doesn’t happen in 18 months. And you don’t gain the experience needed to lead it by hopping jobs at every obstacle—no matter how attractive the salary.

Paradoxically, the urgency of transformation demands patience. CISOs must resist the urge to move too fast without the right leadership foundation. That’s often what causes both personal burnout and project failure.

Business leaders generally understand that complex change takes time. What they value most is honesty about what’s realistic.

The real key for CISOs lies in under-promising and over-delivering. Break the work into achievable steps. Celebrate and communicate early wins. Build trust along the way.

That trust—and the confidence it generates—will become the true driver of lasting, meaningful cybersecurity transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Leadership / June 8, 2025

The Future of Cybersecurity Leadership: Breaking the CISO Deadlock

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

Cybersecurity is at a crossroads, and for many organizations, it’s not just a technical issue — it’s a leadership and cultural challenge.

To effectively address the growing threat of cyberattacks, businesses must rethink their cybersecurity strategy by elevating the CISO role and creating a more integrated, business-focused leadership structure. Without this transformation, companies risk remaining stuck in a cycle of reactive responses and missed opportunities.

In this interview with JC Gaillard, Founder and CEO of Corix Partners, we explore why the traditional CISO role has struggled to evolve and what needs to change.

Cybersecurity has been a significant challenge for many businesses. In your opinion, why is the current CISO role facing so many difficulties?

That’s a great question. For the past two decades, cybersecurity has predominantly been treated as a purely technical discipline. The current generation of CISOs is largely made up of technologists, and for them, it’s been about pushing a technology-driven agenda. But that’s created a disconnect. We’ve seen CISOs try to fix the problem from the bottom up — through tools and technology — but this has largely failed, leaving them stuck in a reactive mode, fighting cyberattacks instead of developing long-term strategies.

It sounds like the problem isn’t just about the technology, but about a deeper cultural and structural issue. Could you explain that more?

Exactly. It’s a cultural transformation, not just the implementation of new tools. Many business leaders have now recognized the inevitability of cyber-attacks and their devastating impact. But they expect cybersecurity to be executed effectively and efficiently across the business — not just in IT. The problem is that most CISOs are still stuck focusing on the “what” needs to be done, but they rarely focus on the “how” — the execution. That’s a big mistake. Cybersecurity has to be integrated into every part of the organization: business functions, support teams, and the growing digital supply chain.

So, it sounds like what’s missing is a broader vision of what cybersecurity should be. What’s your solution to this problem?

To break out of this cycle, you need to change how cybersecurity is governed. The CISO role, as it stands, can’t bridge the gaps between technology and business. What I propose is a split of the role. We need to elevate the cybersecurity leader to a more business-facing role, one that is part of the executive team. This new leader would drive the execution agenda across the business, ensuring compliance, reporting, and continuity. Meanwhile, the traditional CISO role should focus on the technical side — managing the IT aspects of cybersecurity.

That’s an interesting approach. But what do you see as the challenges in implementing this split in many organizations?

The biggest challenge, especially in some regions, is regulatory pressure and personal liabilities that CISOs face. It’s a risky move for many companies to split the role when they’re worried about compliance issues. But I truly believe this approach could break the current deadlock and stop the cycle of hiring and firing CISOs without achieving meaningful, long-term results. We need to build trust among the executive team and establish governance structures that go beyond just technical expertise.

It sounds like you’re advocating for a much more strategic and leadership-oriented role for cybersecurity, not just one focused on firefighting. What do you think needs to happen for companies to make this shift?

There’s a lot of work to be done, especially when it comes to changing the mindset around cybersecurity. Businesses need to understand that it’s not just an IT issue; it’s a core part of the business’s long-term health and success. Achieving this requires personal gravitas from the CISO and a willingness from executives to trust that person. But that shift can only happen if we stop thinking of cybersecurity as merely technical and start viewing it as a business priority that requires leadership, governance, and collaboration across the entire organization.

You mentioned earlier that many CISOs are dissatisfied with their roles and often switch jobs without making real changes. Why do you think that happens?

It’s all about the role’s limitations. CISOs are trapped in a cycle of failure because the expectations are misaligned. They’re hired to fix the cybersecurity issue, but because they are stuck in a purely technical space, they can’t address the bigger cultural and organizational gaps. They end up hopping from one job to another, but the issues they face are the same across companies. The leadership around cybersecurity needs to be restructured to be more impactful and forward-thinking.

It sounds like a real shift in how companies approach cybersecurity leadership is needed. How optimistic are you that businesses will embrace this change?

I’m cautiously optimistic. The need for transformation is obvious, and many business leaders are starting to see the bigger picture. While it may be difficult in some places due to regulatory constraints, the direction is clear. The cybersecurity landscape needs stronger leadership and more strategic thinking, and that change is necessary for companies to keep up with evolving threats. It’s not just about technology; it’s about governance and business integration. I believe we’re at a turning point, and with the right approach, we can break the current deadlock and make cybersecurity a real business enabler.

Leadership / June 1, 2025

Why Cybersecurity Fails in Big Business

Short-term thinking, broken project culture, and the missing link between CISOs and the C-suite

I’ve written at length over the past 10 years about the difficulties many large organizations face when it comes to cybersecurity—and particularly the persistent challenges in turning good intentions into effective action and business protection.

While the diagnosis is fairly consistent across many cases, there’s one important idea that bears repeating, because it frames the issue more broadly:

In organizations where accountability is weak, objectives are often vague or shifting, and success is measured primarily by quick wins, it’s hard for any project to reach its full potential—let alone one as complex and cross-functional as cybersecurity.

Cybersecurity initiatives rarely succeed in environments where projects in general struggle to deliver.

In traditional business initiatives, decisions about continuing or stopping a project are often made based on familiar criteria: return on investment, customer acquisition cost, time to market, or simply a change in strategic direction. Projects may be stopped or reframed—even when large sums of money have already been spent—because the organization has mechanisms in place to cut losses and reallocate focus.

Some organizations operate in a near-constant state of flux. New initiatives are launched while others are still underway; priorities are reset frequently. In high-growth environments, this can be seen as a form of dynamism. In more difficult contexts, it’s often a reflection of deeper structural challenges.

Whatever the underlying reason, the result is the same: an organizational climate where sustained focus is hard to achieve.

That matters for cybersecurity, because most meaningful initiatives in this space do not deliver immediate results. After years—sometimes decades—of underinvestment, shifting priorities, and narrow compliance-focused approaches, the work needed to build genuine maturity tends to be foundational, not superficial.

Quick wins may occasionally be possible, but they are rarely enough on their own.

In organizations where cybersecurity has long been deprioritized, transformation must start with business processes and people—not just technology. Tools matter, but without the right foundations, their impact will always be limited.

Unfortunately, many programs still begin with a focus on technology, and stall before they can reach deeper layers of change. Over time, this leads to growing technical debt, increased operational complexity, reliance on manual processes, and ultimately, strain on teams and leadership.

To change this trajectory, organizations need to adopt a longer-term view. Prioritizing process and people—and building from there—requires patience, alignment, and sustained support.

It also requires a broader understanding of what good cybersecurity leadership looks like. Beyond technical expertise, CISOs need the ability to navigate organizational dynamics, influence stakeholders, and lead with credibility across different parts of the business.

But even the most capable CISO cannot drive change alone. To succeed, they need active, visible backing from senior leaders—champions who understand the importance of the security agenda and are willing to support it consistently, over time.

This combination—a business-savvy CISO with leadership presence, and a senior executive sponsor who brings weight and continuity—is often what makes the difference.

It is only in environments where such partnerships exist, that transformation can become not only possible, but sustainable.

Leadership / May 11, 2025

From Risk to Reality: The Board’s New Cyber Mandate

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

As cyber threats grow more sophisticated and relentless, Boards of Directors can no longer afford to treat cybersecurity as a technical issue buried in the IT department.

JC Gaillard — long-time cybersecurity strategist and founder of Corix Partners — has been calling for a fundamental shift in how Boards engage with cyber risk for nearly a decade.

In this conversation, he lays out why it’s time for directors to move beyond checklists and crisis reactions, and start treating cybersecurity as a core element of business survival — one rooted in leadership, accountability, and real-world understanding.

You’ve been writing about the Board’s role in cybersecurity for nearly a decade. Why has this topic remained so important to you?

Because the discussion keeps getting framed in oversimplified ways. There’s no “one-size-fits-all” answer to how Boards should engage with cybersecurity. The landscape is shaped by too many variables — economic context, industry threats, company history, and maturity levels. Yet we still see governance approaches that are either reactive or superficial. Boards need to move beyond compliance checklists and start thinking of cybersecurity as a core element of business protection.

What’s the biggest misconception Boards tend to have?

Many still treat cybersecurity as a technical issue that can be delegated downward, or as a risk that might or might not materialize. But in the current environment — where threats are constant — that mindset is outdated. It’s no longer about “if,” it’s about “when.” The Board has to own the business protection agenda and ensure it is grounded in real-world awareness, not just hypothetical risk models.

You’ve previously written about the Board’s response to high-profile breaches, like the TalkTalk breach in the UK in 2016, and again after WannaCry and NotPetya in 2019. How has your thinking evolved since then?

Those earlier pieces focused on how Boards react in the aftermath of major incidents. In crisis mode, Boards tend to have a clearer agenda — it’s easier to act when something has gone wrong. But that approach isn’t sustainable. In my 2022 piece, I challenged the idea that Boards can afford to remain passive until a breach occurs. They must take proactive ownership, even when there’s no immediate crisis.

How should Boards begin that proactive ownership?

First, by building a meaningful understanding of the threat landscape — not just in abstract terms, but in terms specific to their business: Who might target them? Why? With what level of sophistication? What systems or data would be attractive to attackers? If that knowledge doesn’t exist in the Boardroom, it must be brought in — either through independent directors or trusted advisors. But it needs to be expressed in language the Board understands, not just technical jargon.

And what about executive accountability?

That’s absolutely critical. The Board must establish clear, unequivocal accountability for cybersecurity at the executive level. Not buried three levels down in IT, but in the C-suite. And that accountability should be tied to remuneration and performance metrics. It’s no longer acceptable to wheel in the CISO twice a year after something has gone wrong or just to tick a compliance box. The conversation needs to be continuous and strategic.

What should that Board-executive dialogue look like in practice?

It should be grounded in the company’s historical experience with cyber threats. Every large organization has had incidents or near-misses by now. Boards should ask: What lessons were learned? Was the response adequate? Are we funding the right capabilities? Are we thinking in the right timeframes — especially when long-term change is needed? That’s how you avoid repeating mistakes and ensure resilience over time.

You’ve deliberately avoided using the word “risk” in some of your writing. Why?

Because “risk” implies uncertainty — things that may or may not happen. But in today’s landscape, the threat is constant. Framing cybersecurity as “risk” encourages a mindset of mitigation, transfer, or acceptance. We need to talk instead about business protection — about securing what matters in a world where threats are already present. It’s a deeper, more grounded way to engage.

So what’s your core message to Boards today?

Stop treating cybersecurity as someone else’s problem. Take ownership. Get the right knowledge into the room. Hold your executives accountable. And engage with cybersecurity as a strategic business imperative — not just a compliance exercise. It’s time to step up, because in today’s world, this is about survival and long-term trust.

Leadership / May 4, 2025

Tool Fatigue: Cybersecurity’s Dirty Secret

Behind the AI hype and vendor noise lies an unsustainable security mess.

Every year, as conference season approaches, I find myself struck by the sheer volume of cybersecurity products, services, and vendors crowding the market.

I’ve been writing about this trend since 2019, and if anything, the landscape has only become more fragmented. Despite expectations, there’s still no meaningful consolidation on the horizon — and that’s a red flag. A market this crowded isn’t necessarily a sign of innovation; it may be a sign of dysfunction.

The situation has worsened in recent years as countless startups have jumped aboard the AI bandwagon. While many vendors seem successful — at least in attracting investor dollars — that success is often driven more by a surge in cyber-attacks and the hype around AI than by actual market demand.

Which brings me to a fundamental question: Who is buying all these tools?

There will always be a “box-checking” market. Some tools are purchased to satisfy audit requirements or prepare for regulatory inspections — often with little to no scrutiny or competitive evaluation. That segment is alive and well.

But other areas — like Governance, Risk & Compliance (GRC) and Identity & Access Management (IAM) — are becoming painfully overcrowded. In these saturated segments, how does a vendor stand out without a clear, credible, and differentiated message? Scaling a product in this environment is nearly impossible without a sharply defined value proposition.

Worse still, many vendors fail to articulate the business problem they’re solving. Their marketing materials are often packed with technical jargon, intelligible only to those deep inside a narrow specialty. It’s as if these tools are designed by technologists for technologists, with little thought given to the broader business context.

As a result, these solutions are usually purchased in isolation — point solutions acquired by individual team leaders to solve narrow problems. But collectively, they’ve led to a bloated, chaotic cybersecurity landscape in many large enterprises, where dozens of tools are deployed with little integration or strategy.

The consequences are serious:

Security operations are fragmented.
Compliance and incident response become manual and inefficient.
Costs rise as more human effort is needed to bridge gaps between tools.
Automation and integration remain elusive.

This tool sprawl contributes directly to the skills gap plaguing the industry. Without streamlining, scaling operations to meet growing threats becomes virtually impossible.

This is the harsh reality behind all those flashy trade show booths: Even if individual tools serve a purpose, their unchecked accumulation has made it nearly impossible for enterprises to respond effectively and efficiently to evolving threats.

Buying more tools won’t help — not unless something fundamental changes.

What’s needed is a strategic shift. Cybersecurity teams must stop addressing each problem in isolation and start building coherent, streamlined, and integrated security ecosystems. This is where the CISO’s leadership is critical.

CISOs must define a clear product vision and roadmap, prioritize simplification, and lead the charge in decluttering their organizations’ cybersecurity stacks. Automation should be central to this effort — but only if it’s paired with a ruthless focus on rationalization.

This mindset is more essential than ever as AI-based solutions proliferate. Without it, we’re simply adding to the chaos.

Leadership / April 27, 2025

Why the Board Needs to Learn Cyber Too: Rethinking the CISO Conversation

It’s time to stop blaming CISOs for poor communication—and start redesigning boardroom dynamics.

You don’t have to search far online or on social media to find articles discussing the difficulties CISOs face when engaging with the Board. Most of them repeat the same familiar refrain: CISOs don’t speak the language of the business and need to learn it. According to this view, better communication hinges on CISOs adapting their style to meet executive expectations, explaining their work in commercial terms, and making their teams’ value clear.

But to me, this argument is a legacy of two decades of failed bottom-up thinking in cybersecurity. It’s time to rethink the model. If the goal is truly effective board-level engagement, new dynamics need to be introduced—ones that shift responsibility onto both parties, not just the CISO.

First, let’s recognize that most Boards no longer need convincing that cybersecurity matters. That conversation is over. What they do need is a clear understanding of the specific and evolving threats their organizations face—and how those threats intersect with operational realities and strategic goals.

This requires more than a token appearance from the CISO once or twice a year. That may tick a compliance box, but it won’t build the trust or familiarity required for meaningful dialogue.

CISOs are, by and large, technologists by background. There’s nothing wrong with that; in fact, it reflects the origins and evolution of the CISO role since it first emerged in the 1990s. While many CISOs have grown into broader corporate responsibilities, their strengths often remain in the technical domain, not in navigating the political and strategic complexities of the boardroom.

Boardrooms, meanwhile, are inherently political environments, full of competing priorities, shifting agendas, and complex personalities. Without understanding these dynamics—or the broader context of what’s happening at the top of the business—even the most well-prepared CISO will struggle to connect their message to what matters most at that level.

External experts or non-executive directors may offer general knowledge and risk context, but only the CISO can provide a grounded view of the firm’s actual security posture. The catch? They can only do this effectively if the Board gives them the context they need to tailor that input to the moment.

This goes far beyond the oft-repeated call to “align cyber strategy with business strategy.” What’s needed is an ongoing alignment of execution—across the strategic lifecycle of the business. And that lifecycle is constantly shifting due to mergers, acquisitions, leadership changes, market dynamics, technological evolution, and global disruptions.

For Board-level conversations about cybersecurity to be truly valuable, they need to reflect this complexity. Cybersecurity is, by nature, a cross-functional and evolving challenge. That’s why I believe Boards would benefit from embedding a broader role—one that spans all aspects of business protection and compliance—at the executive level.

A “Chief Security Officer” (CSO), positioned at the top of the organization, could be pivotal in reshaping corporate engagement around cybersecurity. This role would relieve CISOs of reporting burdens for which they are often ill-equipped, allowing them to focus on the technical and operational aspects where they add the most value.

Meanwhile, having a peer at the Board table—a CSO who understands both security and corporate dynamics—would help foster better communication and build the trust needed for productive dialogue.

If companies are serious about addressing the CISO–Board disconnect, it’s time to stop asking CISOs to perform impossible tasks. Instead, they should rewire the conversation—and the structure—so both sides can meet halfway.

Leadership / April 20, 2025

From Firefighting to Fortitude: Why Cybersecurity Needs a Seat at the Strategy Table

After years of crisis-driven reaction, it’s time for business leaders to embed protection into the core of strategy—or risk losing more than just data.

Since the onset of the Covid-19 pandemic in 2020, cybersecurity—much like business at large—has been caught in a relentless storm of short-term crises and tactical responses.

First came the pandemic itself, forcing organizations to rapidly scale remote work, secure new digital perimeters, and battle a surge in cyberattacks—all under the weight of global uncertainty.

Then followed the aftermath, marked by geopolitical tensions, disrupted supply chains, and a sharp rise in sophisticated ransomware attacks targeting virtually every sector.

And finally, the generative AI explosion, kicked off by the release of ChatGPT in late 2022, triggered a new wave of shadow IT. The scale and speed of its adoption have dwarfed even the cloud computing boom of 15 years ago—unleashing more complexity, more risk, and more confusion.

Alongside these systemic shifts, isolated but impactful incidents added fuel to the fire:

The CrowdStrike episode in mid-2024—not strictly a cybersecurity breach, but a wake-up call on crisis management and business continuity.
Rising political and fiscal instability across key economies like France, the UK, and the U.S.
And the ongoing specter of geopolitical volatility, creating a perpetual sense of instability.

Much of this was neither predictable nor preventable. Cybersecurity, like many functions, tends to mirror broader business cycles. But in doing so, many security leaders—particularly CISOs—have found themselves stuck in a perpetual firefighting mode, unable to push toward true maturity.

This reactive posture has only worsened long-standing challenges in the cybersecurity space, reinforcing the so-called “spiral of failure” that’s plagued the industry for two decades. It’s also inviting increased regulatory scrutiny, a market reaction to repeated breaches and the perceived inadequacy of business responses.

Despite all this, many companies still show no real signs of a long-term strategy. Compliance is treated as a checkbox. Cybersecurity is siloed under IT. Risk is compartmentalized instead of being integrated across the enterprise.

But the nature of risk has changed. The interconnectedness of modern business—made even more intense by pandemic-driven digitization—means that cyber threats can no longer be contained within traditional silos. Incidents like CrowdStrike’s have shown us that cybersecurity now underpins business continuity.

And that means the response must be strategic, cross-functional, and led from the top.

Right now, we’re stuck in a loop of tactical responses. Everyone talks about “resilience,” but the term has become vague—more consultant-speak than operational reality. At best, it answers the “what” of change. Rarely does it address the “how.”

Here’s how: Businesses must embed protection as a core ethical pillar of strategy.

This isn’t just about compliance. It’s about ensuring the business can function under stress, maintaining digital trust, and safeguarding brand equity and shareholder value over the long haul.

Yes, it’s a shift. But it’s also common sense.

Good leadership today means championing business protection from the top—and embedding it into the culture at every level. Because in the digital age, security is no longer a technical concern. It’s a strategic imperative.