KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Good morning and many thanks to all of you for joining us on this session this morning. My name is JC Gallard. I'm the founder and managing director of cos partners. And we are boutique management consulting business based in London, which I established about 10 years ago, and which is focused on assisting Sealevel executives with cybersecurity strategy, organization and governance challenges. I'm delighted to be with you this morning, many thanks to keeping a call for inviting me again. I think this is now my fourth appearance at CSLs.
So many things to a call for that this session is, is, is, is prerecorded. So if you have any questions, you can submit them through the chat. I'll do my best to answer them as soon as I can, you'll get my details as well at the end of the session. And by all means, you know, feel free to reach out.
If you want to exchange on any of the topics we're gonna be talking about this morning, I'm going to be talking about security, culture and governance, essentially, and, and how and why they are absolutely essential in establishing any kind of, of cybersecurity transformative dynamics in large organizations. That's the, that's the basis of what I'm going to be talking to you through this short presentation, I've titled it cybersecurity, operational illusion, and subtitled it just to coin a phrase, security culture and governance, eat tech for breakfast.
And that's a little bit what we're gonna be talking about this morning. So first of all, I, I want to take you back a little bit through the, the context of the last 18 months, if you want and what we've seen happening throughout the, the, the pandemic period and, and, and period we've been, we've been going through in 2021, which is probably the first step of, of some form of, of cost pandemic period for me from cybersecurity perspective, but from a broader business perspective as well. It's absolutely clear that the focus throughout the period has been entirely on, on operational matters.
You know, the services industry has had to move into remote working at scale. Literally within weeks, the manufacturing sector has had to keep supply chains going and continues to have problems with supply chain. As we know, many, many retail businesses have just had to reinvent themselves as digital businesses, literally within weeks, again. So fundamentally for many, many, many businesses, it's all been about keeping the lights on many businesses have been challenged. Many businesses have been, have been going through very, very, very difficult month.
And of course at the other end of the spectrum, many businesses have, have thrived. And frankly, for me, that's, that's the, the second dominant factor. If the period, if you want technology and cybersecurity have been at the heart of all these and are continuing to be at the heart of all this, it was not very, very difficult to predict, to be honest.
And that co partners we wrote about it as early as in April last year, you know, it was clear that tech and cyber were going to emerge as winners in some shape or another once the test has settled over the, the pandemic, but nevertheless, the focus has been entirely on tactical matters for the best part of last year. Very few businesses could see beyond the short term, it has remained the case for the best part of 2021 for many.
And it's, it's hard to criticize as a business approach, and I'm certainly not criticizing given the depth and the scale of the crisis, but nevertheless, it's, it's been it's. This is the context in, in which we, we, we need to talk about cybersecurity and, and the way it has, it has evolved if you want throughout the period.
So why, why is this a problem for cybersecurity in large firms? Well, fundamentally from, from my perspective, it, it, the period we've been going through over the last 18 months has perpetuated and aggravated some endemic firefighting tend tendencies, which have been there in the industry for the best part of the rest 10 years.
And, you know, the last time I was with you guys in Berlin, I actually presented on that very topic. And that was in 2019.
You know, this is, this is a, a tendency or trend, which is not, not to be overlooked, frankly. It, it is, it is dangerous to be honest, it, it traps the CSOs into, in, into operational dynamics. It prevents them from developing in terms of leadership and management skills, because they're constantly fi fighting technical problems. It prevents them from building up a narrative with a senior executives, which goes beyond purely technical and tactical matters.
And fundamentally it does not bring forward the necessary maturity changes if that's what's required in terms of security, governance, security organization, and security culture.
And frankly, it will be a problem in many large firms as they emerge on the other side of the pandemic, or indeed as they've been going through the pandemic and the post pandemic period, because if you've been locked for the past 10 years in, in slow moving expensive security programs and some form of adverse prioritization of the spending with your business, then, and now you need to pivot onto a transformative dynamic because cybersecurity has become an essential part and a fundamental pillar of your new, of your new normal, because your business has been been digitized at pace by the pandemic.
If you need to pivot from, from that, that firefighting reactive dynamic into a transformative dynamic. Well, it's not, it's not that straightforward. And frankly, I'm, to me, it, it's a, it's, it's an illusion to think that, you know, the sort of tactical and operational focus we've seen over the past 18 months is truly transformative by, by itself. It could be counterintuitive for some people, but for me, it's key to move past that operational opposition with cybersecurity to truly unlock long term transformational dynamics.
You know, the idea that the business, the protection of the business from cyber threats can result entirely and purely from the implementation of technical tools in absence of any kind of coherent overarching vision, frankly, to me, this is, this is concept, which is flawed from the start, the tactical knee jerk reactions, simply add layer upon layer of technical legacy. You know, you end up simply creating more and more technical debt.
And on, on top of that, those, those tools are, are, are rarely not well suited to the real needs of, of the, of the business. They end up being difficult to deploy.
And, and you cannot blame the senior management for, for, for asking questions. When they see the CSO coming year after year, asking for more money in spite of, you know, breaches, which keep happening. And in spite of having spent millions literally over the years, because on top of that, very often S operational processes are simply engineered or reversely engineered around the capability of the tools that leads to escalating operational costs it. And at some stage, the CISOs don't know what to do, but to throw more resources at, at, at, at the problem, you know, it creates staff shortages.
It creates the appearance of, of, of a skill gap and fundamentally the CSOs over time feel alienated. They, they leave, we all know that there is a significant problem, in my opinion, around the tenure of the CSOs, which is probably somewhere around 24 to 30 months and all that fundamentally builds a narrative by which security becomes a problem.
And, and, and the cost, frankly, and over time, nobody wins. So if, if you've heard me speak at, at, at CSLs or at, or at other events, you would probably have heard me talk about that spiral of failure. And for me, the last 18 months, I've, I've frankly ed it, and, and many large organizations, if, if they need to, to, to raise their, their level of cybersecurity maturity, because it has stagnated for, for, for a decade because their was strapped in firefighting, or because the business was priorit, prioritizing adversely on cyber security issues.
And frankly, those, those industries, although those organizations have to realize that simply throwing money, the problem is probably not the, the, the solution or, or not the only solution or not the best place to start in my opinion. So how do you go about creating a transformative dynamic around, around cybersecurity in, in that kind of context?
Well, in my view, more than ever, this is now the time to think in terms of people first, then process then technology. If your objective is to build a lasting transformational dynamic around cybersecurity, you know, you, you need to build a vision that has to come from the top. It has to come from the top and be relayed across all the silos of the enterprise. Cybersecurity cannot just be seen or left as the responsibility of the CIO or the CSO.
It needs to be invaded in a credible and visible business purpose, and it needs to be communicated coherently by the, to the staff, by senior management. And more importantly, it needs to be relayed and, and forced by a proper governance framework. This is not just about culture. This is not just about vision, fundamentally.
This is about governance this, and, and by that, I mean, roles, responsibilities clearly distributed and clearly attributed across not just the security function or the old, all the, the it functions, but across the business as well, and across all the silos of the enterprise and across all the geographies of the enterprise as well. And it's really the, the embedding of security values in corporate culture and in corporate governance, which ultimately should drive transformative efforts around, around cybersecurity.
And it's the only dynamic which will lead any organization of a certain size towards cyber resilience. And I, I know it's harder to, I know it's harder to, to put in place than buying more tech or doing one more pen test, but frankly, this is the key to long-term transformative success around cybersecurity. And I'm going to leave it at that for this morning, many, many things for, for listening to me, I'm, I hope this has been thought provoking. I would say for some, and I've been very happy to discuss further or to exchange with any of you on, on any of those aspects.
You've got my details here on, on the screen. Feel free to reach out by email or, or any other way, many, thanks once again, for call for me at CSLs one more time, and I wish you all a very good rest of the day and a very good rest of the conference.
Many, many.
