Good afternoon, and many thanks to our participants for joining me on this session. Many, many thanks to keeping a call for inviting me to speak to you one more time at the Cybersecurity Leadership Summit. I think it's not my fifth participation to CSLs.
I mean, my first one was probably in 2018. I've had many opportunities over the years to talk to you around cybersecurity, leadership, management, and governance matters. Delighted to be with you.
Apologies, I cannot be with you physically in Berlin this year, but delighted to join you remotely for this session. I'm JC Gallard. I'm the founder and CEO of Co Partners, and we were boutique management consulting, business based in London, focused on assisting C level execs with cybersecurity strategy, organization and governance challenges. This morning, I'm gonna be talking to you around the cybersecurity technical, that what it is, where it's coming from, where it is a problem, what can be done about it.
I don't pretend to have any kind of magical solution, but I will try to give you pointers and, and hopefully will help. Some of you will have those problems moving forward. And a few very basic house rules. Before we get further, the session is recorded.
Obviously, if you have any questions, you will get all my details at the end of the presentation and also on the contact page of correspondence.com. You can also get my details from the call team if necessary. I would be delighted to answer any question you may have or to exchange with you on the, on the topic in any way by email or by any of, so let's get started.
The, the cyber security technical debt, what are we talking about here? What, what is it?
Where is, where is it coming from? Where is it a problem? What can we do about it?
So what are we talking about exactly? I'm going to start by stating something. Many of you will probably regard us pretty obvious, but it, it has to be said as a starting point. For the past two decades, many large organizations have kept addressing cybersecurity purely as a technical problem to be solve through technical means. And in itself, that is a problem. It's a problem because of course, cybersecurity has never been a purely technical problem.
People processing technology, we all know that those of you who come to those conferences and those events would've heard it time and time again. And second, we also have to start facing the fact that we keep seeing cyber attack after cyber attack. We have to weekend, month after month. So we have to start asking ourselves whether large organizations are, are simply failing or to protect themselves. And at face value. One can question whether the purely technical approach we've seen over the past two decades is actually working or not.
When you raise this problem with cyber security professionals, the domain view across the industry is that this is due essentially to the fact that threats morph constantly and faster than firms can adapt. My reaction to that is yes and no. We also have to acknowledge the fact that cell is critical. Practices have been well known and well established for over two decades, and they still provide a degree of protection against most threats, and frankly, a good degree of compliance against most regulations as well, by the way.
So large firms somewhere along the line have to accept that they have been plagued by some form of endemic execution problems around the deployment of cybersecurity technical solutions. And in particular, in my opinion, this is rooted in some form of disconnect between business cycles, which are essentially short termist and the longer timeframes, which are generally required to build up cybersecurity maturity levels in large organizations.
In short term, to put slightly differently and to relate it a bit to my own field experience as a consultant, we still come across all too often cybersecurity strategies, which are not really strategic, which are invariably architected around technical projects and technical tools. But the deployment of those tools rarely goes beyond the ledge quick wins because business priorities shift and rarely look over the mean too long term as would be required in many large organizations to deliver real and lasting change around cybersecurity through the full deployment of those tools.
The CSOs leave after a few years out, frustration of the slow progress, very often for more money. But that's another matter.
Another CSO comes in, comes in with different views, different pet projects, different pet tools, and that's how the technical debt starts to pile up and keeps piling up all tendencies, which have been greatly ed by the covid pandemic, which has fueled for all sorts of good reasons, strongly tactical approaches around cybersecurity and, and, and the whole thing compounded by box ticking culture around compliance and the handling of audit observations, which is ancient but still present in many, many firms.
So if you stop putting all those things together and then business short-termism, endemic box ticking culture, you start to see the engine at the heart of that spiral of failure around cybersecurity. So why is it a problem?
It's a problem essentially because after two decades of playing that game, some cybersecurity practices are now operating around 20, 30 different tools according to some surveys. It's not just me saying you've got those type of services coming, coming out every year. The last one I came across first was from Trend Micro. You had one from Cisco before.
Of course, they come from vendors who have an interest in that space. But frankly, it matches my own anecdotal evidence. The anecdotal evidence I collect in the field as a consultant day in, day out, nothing is never joined up because it is simply the result of decades of organic short-termism strategic plans, which were never strategic as I, as I said, or or never rolled out in full knee jerk reactions in response to incidents or observations or even panic, buying ahead of regulatory inspections. It results in complex security operational processes.
Reversely engineered the run, the capability of specific individual tools and point solutions excessively manual, excessively repetitive, frankly boring for the analysts in charge of delivering them. Tremendously expensive to scale up if you need to, to scale up if you can find the skills.
That is, because of course, over the last 10 years, most industry sectors have woken up to the criticality of, of cybersecurity following the aash of cyber attacks. We've been seeing the past decade and all those different sectors are now competing for a resource pool, which has not necessarily grown sufficiently over the period.
So again, the common view across the cybersecurity industry around the this, this problem of skill shortage is that the skill shortage is due to the lack of educational or training opportunities. We don't produce enough cyber professionals. We don't produce enough cyber talent in supply and demand problem.
Again, I think I spoke, I spoke on the topic at, at one earlier, cybersecurity leadership summits, but things are not that simple.
We need to, beyond that supply and demand problem, that educational and training problem, you know, it's not just the talent acquisition rate, it's not just the talent acquisition rate, which is too low across the cybersecurity industry. It's also the retention rate.
And that is taking us back essentially to what I was talking about before, those overly complex and dysfunctional operational processes, which are, are the result of that accumulation of technical debt. The boring entry level jobs we give to many analysts undoubtedly haven't decided to, to start to carrying cyber security to end up cutting and pasting data into Excel spreadsheets or to produce useless reports simply designed to, puts in compliance boxes.
But the first opportunity they leave to do something more exciting, they don't come back and they carry with them an image of the cybersecurity industry which they shouldn't be carrying with them and, and which does not match the, of what the industry is about, could also mention issues related to mental health and, and, and, and burn out evidence the bounds in, in that space, we start to see the way the problems of the industry are actually interlinked and the structure of that spiral of failure.
I was talking about as many problems conveniently fueled frankly, by the tech industry, which has been making billions on cybersecurity products over the years. We all know that fundamentally, you know, it's the excessive focus on tech products to solve cybersecurity challenges that has led to a course accumulation of technical debt in that space and, and, you know, colossal of technical debt, as we've said, which is the result of execution failures rooted in excessive short-termism and in the box culture of, of business leaders. So we can see the structure of that spiral of failure emerging.
If you try to, we try to draw it, we get something which looks a little bit like what I'm showing you on the screen here. We started at the top, you know, by highlighting the, the, the, the endemic short-termism and the box ticking culture of some of, of business leaders, of many business leaders leading to the tactical focus on the edge, quick leading to the proliferation of poorly deployed and the utilized so-called solutions.
And as the engine, which leads to the accumulation of technical debt. That's what we've been talking about so far in this session.
The accumulation of technical debt leads to excessive operational complexity. The excessive operational complexity leads to talent retention problem in escalating costs. It ends up creating an image for cybersecurity, which is the image of something which is a problem and a cost and, and, and it, it compounds the business reluctance to commit resources and, and they end of defaulting once again to their native underlying. And then it short-term is then short term ticking tendencies. And that's the sort of spiral I'm talking about here.
I'm not saying all organizations are in that, in that state. I'm not saying this is something the majority of large organizations are facing. I'm seeing this is something I see quite often in, in, in the field and or too often in my opinion, given the fact that the cyber security industry effectively has been evolving for the best part of the last to 25. So what can we do about it? As I said at the start, I don't to have any kind of solutions, but I'm, I'm trying here to give you pointers.
When I talk to many CISOs, I get the sense that they think this is a problem that needs to be addressed from the top of that representation of the spiral. They think the problem is the tactical focus that they need to convert that in some sort of, into some sort of strategic focus. And that to unlock those strategic dynamics, they need to convert the business. They need to convince the business. So they need, they think they need to start at the, at the top of that representation of the, of the spiral to unlock strategic dynamics.
I'm not saying this is wrong, I'm saying this is hard because you may be confronting issues which are deep rooted in the mindset of the business leaders you are talking to. And it may be difficult for you on your own bottom to overturn those tendencies, which may be deeply rooted cultural tendencies.
I say it many time at conferences, but you know, don't expect that all organizations are well managed.
You know, don't expect that all organizations are are working well. Don't expect cybersecurity projects to deliver in an organization where projects generally don't deliver. Don't expect cybersecurity governance to be well organized and well structured and well structured in an organization where corporate governance is not well organized and not well-structured. So CSOs trying to address the problem in that way need to acknowledge that this is effectively a very hard route.
They are, they all taking, and I very often end up advising them to look at the problem the other way around and to start addressing the problem at the bottom to start looking at, at the operational dynamics at the bottom and to prove their worth, so to speak, by unlocking the operational dynamics at the bottom of that representation of the, of the, of, of failure.
And it starts fundamentally by, well stop buying more tech for the sake of it every time something happens. And it starts by focusing on the decluttering of the cybersecurity landscape, cyber security, technical landscape.
I came across a suggestion I think from Greg Day was the, and CSO four Emme at Palo Network saying, you know, in some articles for every new solution remove two legacy solutions. I think this is a very good start and a very good suggestion. I would only say that it's probably probably easier said than done because to achieve that cyber security leaders will have to look back at the structure of their operational processes, confront their reality and streamline, streamline those.
They will also have to look differently at automation and focus automation on improving efficiency, the efficiency of analytics in particular the efficiency of operational processes so that Analyst can dedicate more time to more challenging tasks, the more challenging tax tasks for which they have been trained and hired by the way. And by doing that you also engineer far, far better retention dynamics by giving them far more exciting jobs to do.
This is about going back to people, process and, and thinking, processing people.
Then technology, not technology for the sake of it, but technology in support of security processes, which are designed to protect the firm and its people from cyber threats. It's certainly more difficult to execute and to sell internally than buying the next Chinese tool to put a tick in some compliance box. But it's where cybersecurity leaders have to start to start controlling the technical debt in that space to stop the endless creation of technical debt and to start bringing the existing one under control.
Cause that has become a vital element in the future of the cybersecurity industry in my opinion. I'm going to, I'm gonna stop here. I have been delighted to speak to you this, this afternoon. You've got all my details on the screen. I would be absolutely delighted to exchange with you on any of those aspects. If you have any questions, any comments or anything you want to share. And once again, many, many thanks to keeping a call for inviting me to speak to you and I you all a very good rest of the day and a rest of the, of the, thank you very much to all.
