Posts categorized: Leadership

An interview with global cybersecurity thought leader and Corix Partners founder JC Gaillard

As cyber threats grow more sophisticated and relentless, Boards of Directors can no longer afford to treat cybersecurity as a technical issue buried in the IT department.

JC Gaillard — long-time cybersecurity strategist and founder of Corix Partners — has been calling for a fundamental shift in how Boards engage with cyber risk for nearly a decade.

In this conversation, he lays out why it’s time for directors to move beyond checklists and crisis reactions, and start treating cybersecurity as a core element of business survival — one rooted in leadership, accountability, and real-world understanding.

You’ve been writing about the Board’s role in cybersecurity for nearly a decade. Why has this topic remained so important to you?

Because the discussion keeps getting framed in oversimplified ways. There’s no “one-size-fits-all” answer to how Boards should engage with cybersecurity. The landscape is shaped by too many variables — economic context, industry threats, company history, and maturity levels. Yet we still see governance approaches that are either reactive or superficial. Boards need to move beyond compliance checklists and start thinking of cybersecurity as a core element of business protection.

What’s the biggest misconception Boards tend to have?

Many still treat cybersecurity as a technical issue that can be delegated downward, or as a risk that might or might not materialize. But in the current environment — where threats are constant — that mindset is outdated. It’s no longer about “if,” it’s about “when.” The Board has to own the business protection agenda and ensure it is grounded in real-world awareness, not just hypothetical risk models.

You’ve previously written about the Board’s response to high-profile breaches, like the TalkTalk breach in the UK in 2016, and again after WannaCry and NotPetya in 2019. How has your thinking evolved since then?

Those earlier pieces focused on how Boards react in the aftermath of major incidents. In crisis mode, Boards tend to have a clearer agenda — it’s easier to act when something has gone wrong. But that approach isn’t sustainable. In my 2022 piece, I challenged the idea that Boards can afford to remain passive until a breach occurs. They must take proactive ownership, even when there’s no immediate crisis.

How should Boards begin that proactive ownership?

First, by building a meaningful understanding of the threat landscape — not just in abstract terms, but in terms specific to their business: Who might target them? Why? With what level of sophistication? What systems or data would be attractive to attackers? If that knowledge doesn’t exist in the Boardroom, it must be brought in — either through independent directors or trusted advisors. But it needs to be expressed in language the Board understands, not just technical jargon.

And what about executive accountability?

That’s absolutely critical. The Board must establish clear, unequivocal accountability for cybersecurity at the executive level. Not buried three levels down in IT, but in the C-suite. And that accountability should be tied to remuneration and performance metrics. It’s no longer acceptable to wheel in the CISO twice a year after something has gone wrong or just to tick a compliance box. The conversation needs to be continuous and strategic.

What should that Board-executive dialogue look like in practice?

It should be grounded in the company’s historical experience with cyber threats. Every large organization has had incidents or near-misses by now. Boards should ask: What lessons were learned? Was the response adequate? Are we funding the right capabilities? Are we thinking in the right timeframes — especially when long-term change is needed? That’s how you avoid repeating mistakes and ensure resilience over time.

You’ve deliberately avoided using the word “risk” in some of your writing. Why?

Because “risk” implies uncertainty — things that may or may not happen. But in today’s landscape, the threat is constant. Framing cybersecurity as “risk” encourages a mindset of mitigation, transfer, or acceptance. We need to talk instead about business protection — about securing what matters in a world where threats are already present. It’s a deeper, more grounded way to engage.

So what’s your core message to Boards today?

Stop treating cybersecurity as someone else’s problem. Take ownership. Get the right knowledge into the room. Hold your executives accountable. And engage with cybersecurity as a strategic business imperative — not just a compliance exercise. It’s time to step up, because in today’s world, this is about survival and long-term trust.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

Behind the AI hype and vendor noise lies an unsustainable security mess.

Every year, as conference season approaches, I find myself struck by the sheer volume of cybersecurity products, services, and vendors crowding the market.

I’ve been writing about this trend since 2019, and if anything, the landscape has only become more fragmented. Despite expectations, there’s still no meaningful consolidation on the horizon — and that’s a red flag. A market this crowded isn’t necessarily a sign of innovation; it may be a sign of dysfunction.

The situation has worsened in recent years as countless startups have jumped aboard the AI bandwagon. While many vendors seem successful — at least in attracting investor dollars — that success is often driven more by a surge in cyber-attacks and the hype around AI than by actual market demand.

Which brings me to a fundamental question: Who is buying all these tools?

There will always be a “box-checking” market. Some tools are purchased to satisfy audit requirements or prepare for regulatory inspections — often with little to no scrutiny or competitive evaluation. That segment is alive and well.

But other areas — like Governance, Risk & Compliance (GRC) and Identity & Access Management (IAM) — are becoming painfully overcrowded. In these saturated segments, how does a vendor stand out without a clear, credible, and differentiated message? Scaling a product in this environment is nearly impossible without a sharply defined value proposition.

Worse still, many vendors fail to articulate the business problem they’re solving. Their marketing materials are often packed with technical jargon, intelligible only to those deep inside a narrow specialty. It’s as if these tools are designed by technologists for technologists, with little thought given to the broader business context.

As a result, these solutions are usually purchased in isolation — point solutions acquired by individual team leaders to solve narrow problems. But collectively, they’ve led to a bloated, chaotic cybersecurity landscape in many large enterprises, where dozens of tools are deployed with little integration or strategy.

The consequences are serious:

• Security operations are fragmented.
• Compliance and incident response become manual and inefficient.
• Costs rise as more human effort is needed to bridge gaps between tools.
• Automation and integration remain elusive.

This tool sprawl contributes directly to the skills gap plaguing the industry. Without streamlining, scaling operations to meet growing threats becomes virtually impossible.

This is the harsh reality behind all those flashy trade show booths: Even if individual tools serve a purpose, their unchecked accumulation has made it nearly impossible for enterprises to respond effectively and efficiently to evolving threats.

Buying more tools won’t help — not unless something fundamental changes.

What’s needed is a strategic shift. Cybersecurity teams must stop addressing each problem in isolation and start building coherent, streamlined, and integrated security ecosystems. This is where the CISO’s leadership is critical.

CISOs must define a clear product vision and roadmap, prioritize simplification, and lead the charge in decluttering their organizations’ cybersecurity stacks. Automation should be central to this effort — but only if it’s paired with a ruthless focus on rationalization.

This mindset is more essential than ever as AI-based solutions proliferate. Without it, we’re simply adding to the chaos.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

It’s time to stop blaming CISOs for poor communication—and start redesigning boardroom dynamics.

You don’t have to search far online or on social media to find articles discussing the difficulties CISOs face when engaging with the Board. Most of them repeat the same familiar refrain: CISOs don’t speak the language of the business and need to learn it. According to this view, better communication hinges on CISOs adapting their style to meet executive expectations, explaining their work in commercial terms, and making their teams’ value clear.

But to me, this argument is a legacy of two decades of failed bottom-up thinking in cybersecurity. It’s time to rethink the model. If the goal is truly effective board-level engagement, new dynamics need to be introduced—ones that shift responsibility onto both parties, not just the CISO.

First, let’s recognize that most Boards no longer need convincing that cybersecurity matters. That conversation is over. What they do need is a clear understanding of the specific and evolving threats their organizations face—and how those threats intersect with operational realities and strategic goals.

This requires more than a token appearance from the CISO once or twice a year. That may tick a compliance box, but it won’t build the trust or familiarity required for meaningful dialogue.

CISOs are, by and large, technologists by background. There’s nothing wrong with that; in fact, it reflects the origins and evolution of the CISO role since it first emerged in the 1990s. While many CISOs have grown into broader corporate responsibilities, their strengths often remain in the technical domain, not in navigating the political and strategic complexities of the boardroom.

Boardrooms, meanwhile, are inherently political environments, full of competing priorities, shifting agendas, and complex personalities. Without understanding these dynamics—or the broader context of what’s happening at the top of the business—even the most well-prepared CISO will struggle to connect their message to what matters most at that level.

External experts or non-executive directors may offer general knowledge and risk context, but only the CISO can provide a grounded view of the firm’s actual security posture. The catch? They can only do this effectively if the Board gives them the context they need to tailor that input to the moment.

This goes far beyond the oft-repeated call to “align cyber strategy with business strategy.” What’s needed is an ongoing alignment of execution—across the strategic lifecycle of the business. And that lifecycle is constantly shifting due to mergers, acquisitions, leadership changes, market dynamics, technological evolution, and global disruptions.

For Board-level conversations about cybersecurity to be truly valuable, they need to reflect this complexity. Cybersecurity is, by nature, a cross-functional and evolving challenge. That’s why I believe Boards would benefit from embedding a broader role—one that spans all aspects of business protection and compliance—at the executive level.

A “Chief Security Officer” (CSO), positioned at the top of the organization, could be pivotal in reshaping corporate engagement around cybersecurity. This role would relieve CISOs of reporting burdens for which they are often ill-equipped, allowing them to focus on the technical and operational aspects where they add the most value.

Meanwhile, having a peer at the Board table—a CSO who understands both security and corporate dynamics—would help foster better communication and build the trust needed for productive dialogue.

If companies are serious about addressing the CISO–Board disconnect, it’s time to stop asking CISOs to perform impossible tasks. Instead, they should rewire the conversation—and the structure—so both sides can meet halfway. 

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

After years of crisis-driven reaction, it’s time for business leaders to embed protection into the core of strategy—or risk losing more than just data.

Since the onset of the Covid-19 pandemic in 2020, cybersecurity—much like business at large—has been caught in a relentless storm of short-term crises and tactical responses.

First came the pandemic itself, forcing organizations to rapidly scale remote work, secure new digital perimeters, and battle a surge in cyberattacks—all under the weight of global uncertainty.

Then followed the aftermath, marked by geopolitical tensions, disrupted supply chains, and a sharp rise in sophisticated ransomware attacks targeting virtually every sector.

And finally, the generative AI explosion, kicked off by the release of ChatGPT in late 2022, triggered a new wave of shadow IT. The scale and speed of its adoption have dwarfed even the cloud computing boom of 15 years ago—unleashing more complexity, more risk, and more confusion.

Alongside these systemic shifts, isolated but impactful incidents added fuel to the fire:

• The CrowdStrike episode in mid-2024—not strictly a cybersecurity breach, but a wake-up call on crisis management and business continuity.
• Rising political and fiscal instability across key economies like France, the UK, and the U.S.
• And the ongoing specter of geopolitical volatility, creating a perpetual sense of instability.

Much of this was neither predictable nor preventable. Cybersecurity, like many functions, tends to mirror broader business cycles. But in doing so, many security leaders—particularly CISOs—have found themselves stuck in a perpetual firefighting mode, unable to push toward true maturity.

This reactive posture has only worsened long-standing challenges in the cybersecurity space, reinforcing the so-called “spiral of failure” that’s plagued the industry for two decades. It’s also inviting increased regulatory scrutiny, a market reaction to repeated breaches and the perceived inadequacy of business responses.

Despite all this, many companies still show no real signs of a long-term strategy. Compliance is treated as a checkbox. Cybersecurity is siloed under IT. Risk is compartmentalized instead of being integrated across the enterprise.

But the nature of risk has changed. The interconnectedness of modern business—made even more intense by pandemic-driven digitization—means that cyber threats can no longer be contained within traditional silos. Incidents like CrowdStrike’s have shown us that cybersecurity now underpins business continuity.

And that means the response must be strategic, cross-functional, and led from the top.

Right now, we’re stuck in a loop of tactical responses. Everyone talks about “resilience,” but the term has become vague—more consultant-speak than operational reality. At best, it answers the “what” of change. Rarely does it address the “how.”

Here’s how: Businesses must embed protection as a core ethical pillar of strategy.

This isn’t just about compliance. It’s about ensuring the business can function under stress, maintaining digital trust, and safeguarding brand equity and shareholder value over the long haul.

Yes, it’s a shift. But it’s also common sense.

Good leadership today means championing business protection from the top—and embedding it into the culture at every level. Because in the digital age, security is no longer a technical concern. It’s a strategic imperative.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

Stop Chasing Budget—Start Earning Trust

Two articles crossed my desk in early 2025 that highlight themes I’ve been advocating for over five years—ideas that now demand a broader perspective.

The first, based on Forrester research, labels 2025 as the “year of fiscal accountability” for CISOs, noting that boards increasingly expect clear returns on cybersecurity investments. (“Forrester on cybersecurity budgeting: 2025 will be the year of CISO fiscal accountability” Louis Columbus, VentureBeat, December 30, 2024.)

This aligns closely with what we’ve been saying since 2019 at the Security Transformation Research Foundation. Our research on the evolution of cybersecurity has tracked a clear shift in priorities since the late 1990s, when the field began gaining traction in the business world.

In our view, the 21st century’s cybersecurity journey can be divided into three distinct eras:

• The 2000s: Dominated by risk and compliance concerns.
• The 2010s: Focused on incidents and breach response.
• The 2020s: A decade that, from the outset, was bound to be defined by execution.

We saw this coming through both data and direct fieldwork. Executives were beginning to accept the inevitability of cyberattacks and were prepared to invest significantly in long-term transformation. Naturally, they would expect execution in return—measurable protection for the business, not just spending and structure.

So, it’s not just 2025 that should be seen as the “year of accountability” for CISOs. In my opinion, the entire decade should carry that label. Yet, it’s disappointing to see so many discussions—like the article referenced above—stop at the investment decision, as if execution were a simple matter of budgets and headcount.

That couldn’t be further from the truth. Anyone who’s worked in cybersecurity long enough knows that.

Cybersecurity is deeply complex and inherently transversal. In large organizations especially, protecting the business cannot be reduced to technical solutions alone. It demands a cross-silo, organization-wide effort. Success in this area requires CISOs to influence far beyond their direct remit—across departments, regions, and business lines.

And that’s not something money alone can buy. It takes experience, strategic thinking, and above all, leadership—the ability to navigate complex politics, inspire confidence, and align people around a shared vision.

This brings me to the second article I mentioned (“How CISOs can forge the best relationships for cybersecurity investment” Rosalyn Page, CSOonline, January 8, 2025).

While the article rightly highlights the importance of business relationships for securing investment, I’d argue their value goes even deeper. These relationships are the foundation for building meaningful strategies and seeing them through.

Back in our “First 100 Days of the New CISO” series (2017/2018), we emphasized this exact point. The early days in the role are not about pushing a technical agenda, but about listening—to all stakeholders—and understanding the organization’s broader needs and constraints. Only through collaboration can a transformative strategy take shape.

That principle still holds true today.

Trust—not just money—is the real currency for CISOs. And trust is earned over time through a clear vision, alignment with business goals, and consistent delivery.

Yes, strong relationships may unlock investment. But more importantly, they create the only real platform for delivering long-term, transformative success in cybersecurity.

That’s the real challenge for CISOs this decade—and the real opportunity.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

Why the Traditional Role of the CISO is Failing and How to Fix It

Recent surveys paint a stark picture of the CISO community—disillusioned, job-hopping, and locked in an endless struggle to justify cybersecurity needs to senior executives. Many find themselves trapped in a cycle of failed bottom-up initiatives, unable to drive real change in protecting their organizations from cyber threats.

This predicament is often seen as unavoidable, yet few analysts question how the cybersecurity industry ended up here—or how to break free from this ineffective model.

The Core Issue: Cybersecurity as a Technical Silo

For over two decades, businesses have treated cybersecurity as a purely technical discipline. Most CISOs today come from technical backgrounds, and their approach reflects this bias. They have long championed technology-driven, tool-based strategies that, for the most part, have failed to deliver meaningful results. Meanwhile, the pace of cyber threats continues to accelerate, fuelled by rapid technological and business evolution.

This reactive, firefighting approach has left many CISOs stuck in an operational loop, unable to develop the leadership and strategic skills necessary to engage effectively with the broader business community.

The Shifting Business Mindset

In contrast, business leaders have evolved. They now recognize the inevitability of cyberattacks and understand their devastating impact. The days of denial are over. What they expect now is effective execution—cybersecurity strategies that align with business priorities, not just technical solutions.

Yet, many CISOs fail to adapt to this shift. They focus their communication on “what” needs to be done but neglect the “how“—reducing execution to a matter of headcount and investment. This narrow perspective weakens their influence and fuels their growing frustration.

Cybersecurity as a Business Imperative

To break this cycle, cybersecurity must move beyond its technical confines. It must integrate across corporate silos—engaging not just IT but also business units, support functions, and an increasingly digital supply chain. For many organizations, this requires a cultural transformation, not just new tools.

Achieving this in large enterprises demands governance structures that foster collaboration, leadership gravitas, and, above all, trust from other executives. Unfortunately, too few CISOs have built these capabilities over the years, leaving them disconnected from broader business objectives.

A New Model for Cyber Leadership

The perpetual dissatisfaction among CISOs stems from their inability to drive meaningful transformation. They move from one job to another, yet the fundamental challenges remain unchanged. Organizations, in turn, replace outgoing CISOs with candidates from the same mold—replicating the problem rather than solving it.

A more effective approach is to restructure the role itself by splitting its responsibilities:

• Chief Security Officer (CSO): A senior, business-facing executive who is a visible part of the leadership team. This role should own and drive the cybersecurity agenda, regulatory compliance, business continuity, and resilience—ensuring security is embedded into the organization’s broader strategy.
• Chief Information Security Officer (CISO): A technical expert reporting to the CSO (or possibly the CIO), responsible for the IT and technical execution of the cybersecurity framework.

While regulatory challenges and personal liability concerns may complicate this shift in some regions, it remains a strategy worth exploring to break the current cycle of failure in cybersecurity leadership.

The bottom line? If businesses want real cybersecurity progress, they need to rethink the CISO role—and if CISOs want to thrive, they must evolve beyond their technical roots.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

Executives don’t need another cybersecurity pitch. They need results.

The CISO Report 2025 from Splunk has sparked widespread discussion across cybersecurity media. The dominant narrative? CISOs are gaining more influence in the boardroom.

But beneath the headlines, familiar struggles persist. Many CISOs still face budget constraints, lack essential soft skills, and experience daily job dissatisfaction.

None of this is new. Most CISOs come from technical backgrounds, and the corporate boardroom—full of politics, strategy, and business priorities—isn’t their natural environment.

The Comfort Zone Trap

Having spent over 25 years in cybersecurity and a decade writing about leadership and governance, I’ve had countless conversations with security professionals about this challenge.

Even those who acknowledge cybersecurity as a business issue often retreat to their technical roots when faced with uncertainty. It’s their comfort zone. But in high-stakes executive discussions, this creates a disconnect. Without trust, CISOs struggle to influence decision-makers.

The fundamental issue? Cybersecurity is still seen as a technical discipline—when in reality, it never has been and never can be.

Logic vs. Business Reality

Many CISOs approach interactions with senior executives as a debate to be won through logic, data, and ROI calculations. They dismiss “fear, uncertainty, and doubt” as outdated and prefer a rational, numbers-driven approach.

But this is the wrong battle. The resistance they face isn’t rooted in a lack of understanding or logic—it’s driven by corporate short-termism and deep-seated cognitive biases.

Executives don’t need another PowerPoint explaining the risks. They already know cyberattacks are inevitable and can be catastrophic. They’ve seen it happen to competitors. Many have lived through crises themselves.

To them, cybersecurity isn’t an isolated concern—it’s just one of many threats to the business, alongside economic downturns, regulatory changes, and supply chain disruptions.

Breaking the Deadlock

Business leaders aren’t looking for CISOs to tell them what needs to be done. They want it done. And after two decades of rising cybersecurity budgets, they’re tired of hearing the same requests for more funding and grand transformation plans that never fully materialize.

CISOs must shift their focus from justifying security needs to proving they can deliver with the resources they have. Consistent, effective execution builds trust. And trust—not spreadsheets or scare tactics—is what unlocks greater influence, better budgets, and long-term success.

That’s the real engine CISOs should be building.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium

Cybersecurity ROI is a flawed metric—here’s what truly matters to business leaders.

The cost of data breaches is a recurring topic in the cybersecurity industry. But here’s the challenge: no two breaches are exactly alike. The impact varies based on factors such as the industry sector, the attack’s target, and the victim’s level of preparedness.

Some costs are easy to quantify—such as forensic investigations, legal and PR expenses, and customer support for affected users. However, many researchers take this analysis further, attempting to estimate business losses and reputational damage. That’s where the exercise turns into a guessing game.

Take the 2024 Cost of a Data Breach report by IBM and the Ponemon Institute. While it provides a detailed methodology, its fine print exposes significant flaws:

1. Inconsistent Comparisons: Year-on-year analysis is unreliable because sample groups change annually. Additionally, reported costs are estimated in local currencies and then converted to USD at fluctuating exchange rates.
2. Unverified Respondents: The survey relies on “security and C-suite business leaders with first-hand knowledge of data breaches” at their organizations. But their experience levels vary, and their estimates—especially for factors like “business disruption, lost customers, and reputational damage”—are highly subjective.

This doesn’t mean the data is useless. But drowning in pages of decimal-point calculations often leads to misleading conclusions.

So why do these reports keep resurfacing? They reflect a long-standing belief among some industry leaders and security vendors: that cybersecurity investments must be justified with ROI calculations.

The logic goes like this:

• Data breaches are inevitable.
• A breach could cost X.
• My product prevents breaches and costs Y (which is much less).
• Therefore, investing in my solution delivers a return of Z.

While compelling on paper, this argument has been used for over two decades—and it simply doesn’t work. The numbers are often arbitrary, no single solution can stop all cyber threats, and executives are bombarded with similar justifications across every department.

At this point, senior leaders don’t need to be convinced that cyber threats are serious. They already know breaches can be costly, even catastrophic. They also understand the potential legal and personal liabilities.

What they need is confidence in their organization’s ability to execute a strong cybersecurity strategy. They need assurance that the right leadership is in place.

Ultimately, the most valuable currency in cybersecurity isn’t money—it’s trust. That’s where CISOs should be focusing their efforts.

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium