Cybersecurity Isn T Underfunded. Cybersecurity Isn’t Underfunded — It’s UndermanagedThe narrative surrounding cybersecurity budgets often revolves around convincing boards and justifying investments.
investments. This is evident in the various approaches that aim to justify return on investment and quantify risk, all of which are data-driven and designed to build a rational argument.
However, do these approaches reflect the reality of decision-making at the top of large organizations? While they are part of the bottom-up narrative that CISOs, cybersecurity consultants, and vendors have been building toward top executives over the past two decades, they clash with three key aspects of real-life enterprise dynamics:
1. Cognitive Biases and Enterprise Dynamics
Decision-making at the enterprise level may appear rational, but it is often heavily influenced by cognitive biases. This is particularly evident in cybersecurity, where it is common to see sudden changes in priorities and investments in response to events such as regulatory investigations, bad audit reports, incidents, near misses, or competitor breaches.
In these scenarios, concerns around return on investment or risk reduction are cast aside, and top executives are more focused on ensuring that boxes are checked and evidence is provided to demonstrate their efforts in preventing a similar breach. If execution fails, the CISO is often held accountable, earning them the nickname “Chief Incident Scapegoat Officer.”
2. The “When-Not-If” Paradigm with Cyberattacks
Over the past two decades, the business impact of cyberattacks has become increasingly apparent, with many board members now aware of the potential consequences. This shift in awareness has led to a new paradigm, where the focus is on being prepared for the inevitable rather than trying to prevent it.
3. The Profile of CISOs and Chronic Execution Failure
The profile of CISOs is also a significant issue, with many being technologists by trade and background, rather than business leaders. This lack of management experience, political finesse, and personal gravitas can make it challenging for CISOs to navigate complex corporate dynamics and deliver on their plans.
The result is chronic execution failure, which is linked to endemic business short-termism. Projects are often deprioritized as soon as quick wins are delivered or boxes are checked on compliance reports. This short-term focus can lead to frustration among CISOs, who are often left out of decision-making processes and have short tenures. For top executives, the CISO merry-go-round can be frustrating, as they see many CISOs come in with grandiose plans, only to resign after a few years, leaving their initiatives incomplete.
The First 100 Days: Where Trust is Won or Lost
The first 100 days of a CISO’s tenure are critical in building trust with stakeholders and establishing a strong narrative. However, many CISOs make the mistake of trying to prove themselves as technical specialists rather than focusing on building relationships and understanding the organization’s dynamics.
The first 100 days should be about co-constructing a cybersecurity narrative and strategy with stakeholders, rather than trying to justify investments or demonstrate technical expertise. By doing so, CISOs can build trust and establish themselves as leaders who can navigate complex corporate dynamics.
Ultimate Takeaway
The future of cybersecurity leadership belongs to those CISOs who recognize that building influence and trust is crucial to their success. Boards no longer need to be convinced that cyber risk matters; instead, they need confident, culturally attuned leaders who can navigate complex corporate dynamics, build trust with stakeholders, and orchestrate delivery across silos.
The first 100 days set the tone for a CISO’s tenure, and it is crucial to get it right. By listening, aligning, and co-creating a narrative that business leaders feel ownership over, CISOs can move from pleading for resources to shaping strategy as true executives.
Key Takeaways:
- CISOs need to navigate cognitive biases and enterprise dynamics to create a compelling narrative.
- The profile of CISOs is often a barrier to effective leadership.
- Chronic execution failure, not under-investment, is the root cause of stagnation in cybersecurity maturity levels.
Conclusion:
Cybersecurity leaders who build influence, trust, and a compelling narrative will be successful. Boards need confident, culturally attuned leaders who can navigate complex corporate dynamics. By focusing on building trust and establishing a strong narrative, CISOs can deliver transformative impact and shape the future of cybersecurity leadership.
