Posts categorized: Leadership

Leadership /

CISOs Want Influence—But Trust Has to Comes First

ciso trust influence

Executives don’t need another cybersecurity pitch. They need results.


The CISO Report 2025 from Splunk has sparked widespread discussion across cybersecurity media. The dominant narrative? CISOs are gaining more influence in the boardroom.

But beneath the headlines, familiar struggles persist. Many CISOs still face budget constraints, lack essential soft skills, and experience daily job dissatisfaction.

None of this is new. Most CISOs come from technical backgrounds, and the corporate boardroom—full of politics, strategy, and business priorities—isn’t their natural environment.

The Comfort Zone Trap

Having spent over 25 years in cybersecurity and a decade writing about leadership and governance, I’ve had countless conversations with security professionals about this challenge.

Even those who acknowledge cybersecurity as a business issue often retreat to their technical roots when faced with uncertainty. It’s their comfort zone. But in high-stakes executive discussions, this creates a disconnect. Without trust, CISOs struggle to influence decision-makers.

The fundamental issue? Cybersecurity is still seen as a technical discipline—when in reality, it never has been and never can be.

Logic vs. Business Reality

Many CISOs approach interactions with senior executives as a debate to be won through logic, data, and ROI calculations. They dismiss “fear, uncertainty, and doubt” as outdated and prefer a rational, numbers-driven approach.

But this is the wrong battle. The resistance they face isn’t rooted in a lack of understanding or logic—it’s driven by corporate short-termism and deep-seated cognitive biases.

Executives don’t need another PowerPoint explaining the risks. They already know cyberattacks are inevitable and can be catastrophic. They’ve seen it happen to competitors. Many have lived through crises themselves.

To them, cybersecurity isn’t an isolated concern—it’s just one of many threats to the business, alongside economic downturns, regulatory changes, and supply chain disruptions.

Breaking the Deadlock

Business leaders aren’t looking for CISOs to tell them what needs to be done. They want it done. And after two decades of rising cybersecurity budgets, they’re tired of hearing the same requests for more funding and grand transformation plans that never fully materialize.

CISOs must shift their focus from justifying security needs to proving they can deliver with the resources they have. Consistent, effective execution builds trust. And trust—not spreadsheets or scare tactics—is what unlocks greater influence, better budgets, and long-term success.

That’s the real engine CISOs should be building.



JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.



Read more on our Security Transformation Leadership publication here on Medium

Leadership /

The Cost of Data Breaches: Why the Numbers Don’t Add Up

numbers don't add up

Cybersecurity ROI is a flawed metric—here’s what truly matters to business leaders.


The cost of data breaches is a recurring topic in the cybersecurity industry. But here’s the challenge: no two breaches are exactly alike. The impact varies based on factors such as the industry sector, the attack’s target, and the victim’s level of preparedness.

Some costs are easy to quantify—such as forensic investigations, legal and PR expenses, and customer support for affected users. However, many researchers take this analysis further, attempting to estimate business losses and reputational damage. That’s where the exercise turns into a guessing game.

Take the 2024 Cost of a Data Breach report by IBM and the Ponemon Institute. While it provides a detailed methodology, its fine print exposes significant flaws:

  1. Inconsistent Comparisons: Year-on-year analysis is unreliable because sample groups change annually. Additionally, reported costs are estimated in local currencies and then converted to USD at fluctuating exchange rates.
  2. Unverified Respondents: The survey relies on “security and C-suite business leaders with first-hand knowledge of data breaches” at their organizations. But their experience levels vary, and their estimates—especially for factors like “business disruption, lost customers, and reputational damage”—are highly subjective.

This doesn’t mean the data is useless. But drowning in pages of decimal-point calculations often leads to misleading conclusions.

So why do these reports keep resurfacing? They reflect a long-standing belief among some industry leaders and security vendors: that cybersecurity investments must be justified with ROI calculations.

The logic goes like this:

  • Data breaches are inevitable.
  • A breach could cost X.
  • My product prevents breaches and costs Y (which is much less).
  • Therefore, investing in my solution delivers a return of Z.

While compelling on paper, this argument has been used for over two decades—and it simply doesn’t work. The numbers are often arbitrary, no single solution can stop all cyber threats, and executives are bombarded with similar justifications across every department.

At this point, senior leaders don’t need to be convinced that cyber threats are serious. They already know breaches can be costly, even catastrophic. They also understand the potential legal and personal liabilities.

What they need is confidence in their organization’s ability to execute a strong cybersecurity strategy. They need assurance that the right leadership is in place.

Ultimately, the most valuable currency in cybersecurity isn’t money—it’s trust. That’s where CISOs should be focusing their efforts.



JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

Read more on our Security Transformation Leadership publication here on Medium