How the way we talk about information security has changed over the last 2 decades, based on a quantitative analysis of 17 Global Information Security Surveys by EY (2002-2019)
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
How the way we talk about information security has changed over the last 2 decades, based on a quantitative analysis of 17 Global Information Security Surveys by EY (2002-2019)
How the way we talk about information security has changed over the last 2 decades, based on a quantitative analysis of 17 Global Information Security Surveys by EY (2002-2019)
Hi guys. Great, great to follow pair, great act to follow difficult act to follow, I think, but I'll do my best. We're gonna change. We're gonna change the tone a little bit. I think what I'm gonna be talking about is going to be far less technical than what you've been hearing so far in this room this afternoon. I'm JC Gallard, I'm the managing director and founder of cos partners. I'm a management consultant. I run a management consultancy firm based in London, focusing on, on cybersecurity strategy organization and, and governance.
I also animate the security transformation research foundation, and that's a think tank associated to co partners, which is aimed at exploring how the narrative needs to change around cybersecurity for, for the industry, for society at large, to move, to move forward. And the piece of research I'm gonna be talking to, to, to you about this afternoon is, is a piece of research.
We, we developed during the summer under the label of the security transformation research foundation. And essentially we're gonna be looking back at the way, the language of security has changed over the last two decades. We're gonna try to put those things little bit into perspective, you know, how have we changed the way we talk about security as security, professional security practitioners, you know, looking back across the last two decades.
And that's, that's the sort of, of, of journey I'm going to try to take you to take you through in a quantitative manner, because essentially what we've done is that we've analyzed the semantic content, the language content of 17 global information security service from EY. You know, those, those, those surveys you guys might, might be familiar with.
You know, every, every firm, every big four firm put one of those out every year and we've analyzed the language content, the semantics content of 17 of those from, from EY. So we're gonna be talking about, about the language of security in little bit, little bit in the quantitative manner, out of our findings from that semantic analysis. I want to take you through a few points of methodology first and to put things a little bit into context as well. Why did we do this to start with?
Well, our, our prime objective of course, was to, to try to analyze in the quantitative way, the way our focus and our priorities as security industry have changed across the last two decades. But to be honest, the hypothesis, I was testing myself based on my own 20 years of experience in that space is really the hypothesis of industry stagnation. The fact that we all come to those lovely conferences, but we end up talking about the same things all the time and that all these goes round and round and round in circle quite seriously. That's not what I found.
And that's why I'm here to talk to you essentially. Why did we use theey reports?
Well, fundamentally the, the, the length of, of time the, the, the cover was the main factor. I mean, they were first published in 1998. EY are very proud of that, of those 20 years of association with the cybersecurity industry or the information security industry that, you know, in, in, in that way, across that long period of time, frankly, we also have to praise the consistency of the format. Then the quality of the, of, of, of the research, the quality of the writing and, and all those factors really are the main reason why we decided to work on the basis of those reports.
PWC have been doing it as well, but they started, they started considerably later, Deloitte and, and KPMG tend to have a different approach, maybe more industry focused. So the EY reports were good for us. And that's essentially what we used. EY are aware of this.
I mean, there is not no secret here, if any of you is in relation with them or, you know, there is no secret at all. I mean, they, they know of this survey, they're supportive, they're interested. And frankly, there is nothing bad to say about them anyway.
So that's, that's the point about EY and why did we use them? And, and, you know, how did we proceed and why did we decide to analyze the language and not the results? Because of course in those reports, if, if you're familiar with those, you've got the actual results, the questions, the pie charts, the graphs, and then you've got the commentary, of course not having access to the underlying data sets made it difficult to compare, like with like when it came to analyze to, to, to the analysis of the results themselves.
Even if the same question was asking 2005 and in 2012, not knowing know we actually answered that question. It was very difficult to normalize the result in to compare, like with like, so we focused on the commentary, the language, the wording of those reports, which of course is in, is, is in regards to the, the pie charts and the graphs. So of course the, the language reflects the results in the, in, in the diagrams. And of course the diagrams and the results reflect what the people being interviewed that have told the consultants.
So all, you know, there is a degree of consistency here, which gives us confidence that, you know, by analyzing the language, we're actually reflecting the focus and the priorities of the industry at any at, at any given given moment. So that's essentially what we did. We scraped all the words from all those reports. We put them into a bag of words, we removed all the stop words. We removed all the acronyms, we removed all the noise really. And we ended up with approximately 80,000 words to search from. And I insist there is nothing fancy here.
There is nothing which goes beyond the, the complexity of a percentage calculation. You know, there is no AI involved here, you know, it's just, we've been counting words essentially. And we've been talking, we're gonna be talking about the frequency of words in the report.
You know, again, it's the mathematical complexity of the, of a percentage. I, I even the word semantics.
I mean, if there are semantics experts here, I don't know, but I mean, some friends of mine who are a bit more experts in that field have told me, you haven't really done anything in terms of semantics here. You know, you've been counting words and I say, yeah, alright, maybe I shouldn't be talking too much about the semantics analysis and more language analysis, but I mean, you're gonna see what, I'm, what I'm, when I'm talking about when I start getting into the results.
So five findings, essentially, which I'm bringing to you as an, as, as a, as an indication really of the way the language of security has evolved. You know, if, if you've been involved in the industry for 20 years, you may recognize some patterns you've been involved with, if you haven't, you may recognize things which you like as well. And which certainly will give you some context and will show you that there is indeed an historical continuum here, which is worth, which is worth knowing.
I suspect, for example, you know, cyber and cybersecurity, well, the word cyber and, and the word cybersecurity appear in the top 100 of, of our word counts in 2013. Okay. Just a piece of an interesting nugget of information.
You know, we, haven't been talking about cybersecurity all our life. What, what were we talking about before?
Well, we were talking about information security, of course, you know, anyway, let's get into the, let's get into the results proper. The first finding is essentially that, you know, when you look at those words and look at the top of the list, I mean, my that's where I started. I looked at the top of the list, the more common words, the words which come come up the more often across all reports and what you find, what you find, of course, all the usual suspects, security information, organiza organization management business. Okay.
So the first impression is, oh my God, I mean, this is going to be, you know, management, jargon, all the ways gonna be generic, generic jargon all the way. You know, that's the way is that the way we really talk about, about security when, when we, when we try to take a step back, because that's a little bit what those reports are meant to be, you know, they're meant to be innovating the debate a little bit, and, and they're meant to be talking to senior execs or addressing senior execs.
Well, yes, of course the most common words are generic, but when you start looking at the proportion of those words, you know, in each report, you see a trend emerging, which is the fact that the proportion of those most common words is diminishing. So I think there is a, there is room to push to push us the first finding the fact that somehow there is a trend there in, in our research, which shows that we tend to speak about security in a more and more specific language. The proportion of those generic terms seems to be diminishing. That's the first finding.
I think I'm, I'm, I'm putting forward. And that's really the first, that's the first finding I came across. And that's, that's the point from which we started digging okay.
Into, into the data a little bit more because the, the next question of course, of course, is if we are talking about security in a more and more specific manner, you know, in what way are we becoming more specific? And when you start looking at the words in the list below those, the top five or the top 10, you obviously you start to realize, and now we are getting a little bit more into the prop, the field of semantics properly, you start to realize, of course, that words carry different meaning. Okay. And you start to see that there is indeed a bias analysis, which can be made here.
So words convey, for example, more positive or more negative bias. So words convey more technical or more managerial bias. And we've actually analyzed the bias in the reports. According to those two dimensions, you know, from, from technical to managerial, from positive to negative, for example, you know, words like results, success carry positive bias words, like threat attack, incident carry negative bias words like leaders, leadership carry more managerial bias words like malware run somewhere, virus, cloud carry more technical bias.
So we've analyzed them the, the bias in those reports across those two dimensions. And we found a very interesting shift. As a matter of fact, the, we found two decades clearly separated by what appeared to be a clear semantic shift. When you look at the reports from 2020 2009, they very clearly have a more positive and a more managerial bias compared to the reports we've seen since.
So based on that, the second finding here we putting forward is that if we talk about security in a more specific manner, we also talk about security in a more and more negative and in a more and more technical manner as well. And that's very much the second finding here together with that, that very interesting demarcation line in 2010. Okay. And that's really the piece we explored next. What does this demarcation line tell us in 2010, what really has changed across those two decades and digging a little bit more about the way a number of keyword markers evolve.
We saw really a significant shift in focus across the two decades. I mean, if you look at keyword markers like risk compliant, well like compliance, regulatory regulation, you see a clear downward trend. They dominate the first decade and they subside during the next in parallel. If you look at keyword markers like incident threats, you know, what else have we got breaches intrusion? You see the opposite trend. Okay. They clearly become more and more prominent during the second decade. The decade we, we are, we, we, we are in the decade, which is coming to an end.
And similarly, if you look at the way the world risk is used against the world's threat, you see that the world risk is used in a far more prominent manner during the first decade. And that gradually the world threat becomes more and more prominent. And at the moment we are probably using them in an interchangeable manner. So I think we do see a significant shift in focus across the two decade.
And the impression here is that the compliance and risk considerations, which dominate the first decade clearly are replaced by considerations of incidents and threats during the following decade, there is an additional piece of, of, of analysis here, which I need to bring up, which is our, our, our fourth finding, which is again, digging into what happened around that junction between the two decades, looking at what happened around 2010. What do we see?
We see a, an enormous burst of, of, of interest, an enormous burst of language around cloud and outsourcing. That's not a big surprise for any of you if you've been involved around, you know, in the industry at the time, but we see that burst dominating the period 20 10, 20 11, 20 12. And the fantastic thing is that it vanishes into acceptance. It vanishes into normality almost after that, but really what dominates here is that frankly, it it's the sense that the last decade, the decade we are in the one which is coming to an end is really dominated by that sense of realization.
You know, the sense that, you know, this is no longer just about compliance or risk. I mean, ultimately risk is about things which may or may not happen. Compliance is about putting ticks in boxes. We all know that no, there is different sense here. The sense that tech is changing the sense that this is real, the sense that incidents do happen, the sense that they harm business, they impact business. So you really have that sense of, of, of realization really, which dominates the, the, the, the decade we are in.
And finally continuing to dig into, into the language we've, we've we, we using and looking back at the, the residual business language we, we use, you know, at the beginning of all this, I said, you know, we tend to talk about security in a more and more technical, more and more specific language, but more and more technical and more and more negative. When we look at the residual business language, we do see a trend towards a more specific and a sharper language as well. Markers like digital innovation, growth value clearly, you know, become more and more prominent.
But the thing which is really concerning from my perspective, and probably the most interesting finding for me is the piece at the bottom here. The fact that throughout the two decades, markers, keyword markers indicating, or related to the language of execution, clearly dwindled they're clearly on the way down words like ex words, like objectives, delivery, results, priorities, you know, all the language, which is genuinely the language of execution.
That's clearly clearly diminishing in proportion in those reports and to a lesser extent, but I think it also makes sense here, all the language related to people, culture and skills. That's also, that's also clearly clearly diminishing in proportion of, on, on the, you know, in the reports and you are left with you are left with the situation where frankly, keywords marker such as risk threat compliance incidents are effectively 3.5 times more frequent across all reports than, than keyword marker, like governance, budget, delivery, priority culture or skills.
So you are left with the impression that frankly, the industry is very good at talking about what could go wrong, but not so good at talking about what we could do to fix it. Okay. And that's a little bit the, the, the, the, the bottom line here for me at the end of, at the end of this.
So just to, to, to, to reach the, the, the final part of the talk here, what, what is all this showing us is showing us two decades, you know, up to 2009, what I'm calling here, the compliance decade, you know, a period during which securities fundamentally a balancing act between compliance requirements, risk, appetite, and costs. You know, the CSO as a risk manager, I'm using as a cliche here 2010 to, to, to today, really I'm a decade I'm calling the realization decade. That's what I was saying before.
The sense that security is a necessary barrier against real threats, that this is real, that it's really happening. You know, that, that it does harm business. That's not just about compliance and risk. Okay. And all that, of course, in the context of massive technological change in the, in, in the context of the aftermath of a financial crisis of historical proportions. And of course in the context of very significant digital transformation and digital disruption for many, many industries. Okay.
And, and to use a cliche, I'm, I'm, I'm, I'm saying the CSOs firefighter here, that's a little bit what, I'm, what I'm seeing, you know, CSOs not being able to get out of firefighting mode, because there is always something going on. There is always some, some, some, some fires to put off, where does that take us?
What, what, what could we say, how, what you want the next decade to be, what do we want the next decade to be? Well, what I'm putting to you is that, you know, the industry needs to pivot towards, towards an execution paradigm, going back to what, what, what I said around our finding five, you know, our execution language has not been prominent enough. We need to focus more on delivering on executing, on getting things done. Okay.
And, and that's really what, I'm what I'm, I'm calling the execution decade. You know, security is no longer just about putting tick boxes. It's no longer just about risk. It's not a necessary evil, you know, it's a business imperative, it's a business imperative in the, when not if era in an era where, you know, you have to assume you're going to be breached and, and senior executives are assuming that business is going to be breached.
And of course, in a context where, you know, if you're waking up today at the back end of 20 years of, of, of lip service under investment, or, or advanced prioritization by your business, yeah. You may have a very significant challenge. You may have a very significant challenge if your maturity is low.
And, and of course your regulators and politicians have stepped in. And now, now this is happening under the threat of, of pretty considerable fines, which, which are business impacting and the GDPR and the variety of regulations we can see emerging around the world. So the CS transformation leader is really the, the, the, the, the cliche I'm using to encompass what the next decade could be or should be about. And I leave you with three management considerations around that.
Now, going back a little bit to the profile of the CSO and to what, what challenges organizations are, are, are facing here. If they are genuinely waking up to a, a pretty significant transformation challenge.
Well, the first point is, is that the profile of the transformation leader is key here. A good firefighter is, is, is not a good transformer. As I'm saying on the slide, and many sees are, are struggling to, to be honest, in, in, in my experience around very sign around largescale transformations challenges, there is a bit of lost decade here for CSOs as well.
I mean, you know, when you are constantly dragged into fire fighting, when you're constantly dealing with technical problems, you don't develop the managerial or the leadership skills. You need to drive seven or an eight digit transformation program of work. So there are a number of very significant considerations around the profile of transformation leaders here for organizations, which are, which are facing that type of, of challenge. And my second point is that of course, transformation on a large scale takes time. And there may not be quick wins. Security is a complex beast.
You know, it crossed it cut across corporate silos, large organizations work in silos. That's the only thing they know.
So, and security cuts across. So security transformation is a very hard challenge and it takes the time it takes to, to, to, to, to, to, you know, to, to cut it short. And that's a challenge more for senior management because senior management must be able to look beyond short-termism and to stay focused on the right term to drive the right transformational objectives around security. And I dunno if any of you have heard me talk or, you know, on, on, on this topic here or, or elsewhere, but this is often a very, very hard challenge for many organizations.
And like at this stage, I normally, that's the point where I normally say, you know, you cannot take security out of the broader corporate context of, of any organization. You cannot take security governance out of, you know, the governance of any organizations. And there are organizations which are well managed. There are organizations which are not so well managed. There are organizations which there are industries, which are doing well industries, which are not doing so well, you know, and, and, and, and, and that's what it is.
But here, going back to transformation around large scale transformation program, you know, being able to, to remain focused on the right mid to long term objective is key. And it's often a very complex challenge for organizations and my final point, you know, it's worth seeing it, you know, again, and again, more than ever four organizations face facing largescale transformation programs.
You know, this is about culture and governance. It's about culture and governance, more than technologies about culture and go governance before technology throwing money at tech vendors, you know, is just looking for, for quick wins, which don't exist, or, or, or for a magic bullet, which doesn't exist, you know, that has never built anything lasting.
You know, you need to think about the right organization, the right operating model as, as well as technology and to, you know, to more than ever it's about people process, then technology, and very much in net order, if you're facing a large scale transformation program. And that's it for me, have I done well in terms of time?
No, I'm ahead. Yep. Thank You.
I, I, any.