Johannesburg, 31 May 2022
Cyber security strategies are unnecessarily complicated, filled with tech jargon, and further discredit the role of the chief information security officer (CISO) – who often rides roughshod with unchecked plans only to fuel uncertainty and misperception. The result is overall frustration and a further disconnect between CISOs and business stakeholders and a weaker corporate cyber defence.
“The days of the lone wolf are over … cyber security is a team sport,” said Phillimon Zongo, CEO, Cyber Leadership Institute, Australia, speaking at the ITWeb Security Summit 2022 this morning.
The Institute has trained CISOs and organisations from 45 countries globally.
As many new CISOs learn the hard way, success in the C-suite is less to do with technical proficiency and more to do with one’s ability to navigate complex and deeply entrenched political systems, influence power brokers, lead with courage and communicate to the board with clarity and persuasion
Zimbabwe-born Zongo, author of a best-selling book on cyber security, said one of the biggest obstacles facing CISOs in effectively enforcing their mandate to drive positive change in their environments, is a lack of self-awareness and exaggerated faith in their own technical skills and ability.
“Unfortunately, a lot of CISOs stubbornly stick their heads in the sand like ostriches and they pay dearly in their inability to detach themselves from technical and professional decision-making, they abdicate their strategic stakeholder management responsibilities. It is a well-documented fact that the success of any major transformation programme hinges on one thing – the unwavering support of the most senior business officers, and without the support of key decision makers on their side, the cyber transformation programmes are quickly thrust into rough waters or crash on take-off.”
Another factor behind failure within the cyber security space is the fact that some CISOs are hired, or believe they are hired, primarily to salvage their companies from serious data breaches.
While a cyber crisis certainly justifies dramatic action, in their hyper activity, CISOs commit to game-changing initiatives without understanding the lay of the land, and in that process, they overlook some major obstacles that come back to bite them.
Moreover, Zongo says some CISOs are simply hired to tick the box or fulfill an external mandate, due to pressure placed on the board from external shareholders or investors. “The move itself unfortunately just represents poor and zero substance. Once these new CISOs take to these ceremonious positions they inevitably fail to overcome strong inertia that is exerted by toxic organisational cultures.”
“To borrow the words of Peter Drucker, a management guru, these toxic organisational cultures will eat your cyber security strategy for breakfast!”
In these environments, the views of the CISO are quickly sidelined, budget requests fall on deaf ears and, Zongo said, “… in the end the CISO feels like a glorified systems administrator.”
Transformation success
Zongo added that according to McKinsey, with a transformation programme in place, initiatives are four times more likely to succeed – and cyber security strategies are the foundation.
He acknowledged the difficult job that CISOs are tasked with, as well as the real challenges in the market amid an escalating and sophisticated cyber threat landscape. However, he advised CISOs to work at cultivating strong working relationships with all stakeholders, particularly decision-makers, and to approach cyber security strategies with clarity, humility, and brevity.
He said that the role of the CISO will only escalate in influence going forward, and believes it is better to create the environment they want through careful influence, as well as straightforward and transparent engagement.
In the world of cyber security, a lot sounds great on paper, but execution is a different ball game, said Zongo, and it’s important to celebrate real wins to strengthen credibility, which he described as “the currency of the CISO”
“Don’t try to boil the ocean,” he quipped.