Short-term thinking, broken project culture, and the missing link between CISOs and the C-suite
I’ve written at length over the past 10 years about the difficulties many large organizations face when it comes to cybersecurity—and particularly the persistent challenges in turning good intentions into effective action and business protection.
While the diagnosis is fairly consistent across many cases, there’s one important idea that bears repeating, because it frames the issue more broadly:
In organizations where accountability is weak, objectives are often vague or shifting, and success is measured primarily by quick wins, it’s hard for any project to reach its full potential—let alone one as complex and cross-functional as cybersecurity.
Cybersecurity initiatives rarely succeed in environments where projects in general struggle to deliver.
In traditional business initiatives, decisions about continuing or stopping a project are often made based on familiar criteria: return on investment, customer acquisition cost, time to market, or simply a change in strategic direction. Projects may be stopped or reframed—even when large sums of money have already been spent—because the organization has mechanisms in place to cut losses and reallocate focus.
Some organizations operate in a near-constant state of flux. New initiatives are launched while others are still underway; priorities are reset frequently. In high-growth environments, this can be seen as a form of dynamism. In more difficult contexts, it’s often a reflection of deeper structural challenges.
Whatever the underlying reason, the result is the same: an organizational climate where sustained focus is hard to achieve.
That matters for cybersecurity, because most meaningful initiatives in this space do not deliver immediate results. After years—sometimes decades—of underinvestment, shifting priorities, and narrow compliance-focused approaches, the work needed to build genuine maturity tends to be foundational, not superficial.
Quick wins may occasionally be possible, but they are rarely enough on their own.
In organizations where cybersecurity has long been deprioritized, transformation must start with business processes and people—not just technology. Tools matter, but without the right foundations, their impact will always be limited.
Unfortunately, many programs still begin with a focus on technology, and stall before they can reach deeper layers of change. Over time, this leads to growing technical debt, increased operational complexity, reliance on manual processes, and ultimately, strain on teams and leadership.
To change this trajectory, organizations need to adopt a longer-term view. Prioritizing process and people—and building from there—requires patience, alignment, and sustained support.
It also requires a broader understanding of what good cybersecurity leadership looks like. Beyond technical expertise, CISOs need the ability to navigate organizational dynamics, influence stakeholders, and lead with credibility across different parts of the business.
But even the most capable CISO cannot drive change alone. To succeed, they need active, visible backing from senior leaders—champions who understand the importance of the security agenda and are willing to support it consistently, over time.
This combination—a business-savvy CISO with leadership presence, and a senior executive sponsor who brings weight and continuity—is often what makes the difference.
It is only in environments where such partnerships exist, that transformation can become not only possible, but sustainable.
JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.
Read more on our Security Transformation Leadership publication here on Medium