The CISO's ongoing struggle to deliver on cybersecurity strategy

CISOs are stuck firefighting day to day issues and have no time for strategic planning, our survey finds. Group Managing Director, Stuart Jubb, talks us through the ongoing challenges CISO face and considers what can be done.


Our recent survey of 200 cybersecurity professionals suggests CISOs are struggling with the range and sophistication of cybersecurity threats and the accelerating pace of technological change. The problem is global, systemic and needs to be addressed strategically. However, CISOs are stuck putting out daily fires.


Almost half of respondents (44 per cent) say their organisation has only enough capacity to focus on immediate and medium-term threats and technology trends. There is no time for strategic planning.

Three-fifths (61 per cent) of those we interviewed described themselves as only “fairly confident” in their ability to manage their current exposure to cybersecurity threats. Furthermore, two-fifths (40 per cent) believe that their existing cyber strategy will be obsolete within two years and a further 37 per cent expect it to be irrelevant within three.


In conversation with one experienced CISO for a global company, they said, “We’re facing repeat crises. They aren’t always cybersec, but there’s always a cybersec angle. Even Covid had a cybersecurity angle because we had to make sure remote working could happen safely.”


While it is true that the speed of change in cybersecurity can sometimes require a change of approach, that is more of a tactical consideration. Organisations should be thinking strategically, which means looking five years ahead. The resulting strategies should be flexible enough to accommodate a degree of uncertainty.


The brittle nature of the strategies that our survey respondents are employing suggests a more fundamental problem. Ultimately, it important to understand your role. The CISO should be communicating outwards and upwards, and directing effort, not firefighting.


The short-term threats that hog attention

Many short-term issues and challenges are overwhelming cybersecurity teams, with a high majority of respondents finding all areas of cybersecurity either a little, somewhat or very challenging.


Almost all (85 per cent) of respondents said they struggle to some extent with detecting or identifying the occurrence of a cybersecurity event or threat and the same proportion (85 per cent) struggle with third parties failing to disclose breaches in good time.


Third parties themselves are an issue. More than four fifths of the executives we talked to (83 per cent) say they struggle to ensure their supply chain has a watertight ability to defend against threat actors and recover from attacks. The scale of these struggles suggests that the current approach to cybersecurity needs a rethink.


As another CISO said, existing technology often creates challenges: “People think cybersecurity is about buying technology, but there’s still a massive problem with technical debt. We have machines that are too old for antivirus to be installed, for example.”


Tasks that are considered ‘basic’, such as patching, can also be harder than they appear. Organisations with significant legacy systems might find that patching takes a month or two. Meanwhile, our interviewees told us, putting in place a long-term cyber strategy takes two or three years, all while managing the day-to-day. It seems that the resources to make that happen are not available.


The CISO needs to understand the threats, risk, likelihood and assess improvements that could be made. And then make a case for the costs.


Chasing tomorrow’s strategy while struggling to deliver on that of today

With so many short-term problems, it’s no surprise that respondents say they can’t focus on strategy. Delivering on the current strategy is difficult and planning the next is virtually impossible. A good strategy should be forward-looking, well-resourced and capable of withstanding changing circumstances. To deliver that, organisations must start thinking about the structure of their teams and the talent pool available to them.


For details on how to build a more strategic approach to cybersecurity – read the report.

For a free 30 minute consultation about your cybersecurity needs, click here.