TLDR:
- The bottom-up approaches to cybersecurity that have been employed for the past 20 years have failed.
- The role of the Chief Information Security Officer (CISO) was not originally created out of a proactive management decision to protect the business.
- A generation of security practitioners has been trapped in a mindset that seeks to justify the legitimacy of cybersecurity measures.
- Collisions between bottom-up approaches and corporate short-termism have hindered progress in cybersecurity.
The author argues that the traditional bottom-up approaches to cybersecurity have not been effective in protecting businesses from threats. The role of the CISO, historically, was not established based on a proactive decision by senior management to prioritize security. Instead, it emerged as a response to audit or regulatory observations, often seen as a necessary evil.
The role of the CISO has evolved over time, but many security practitioners are still trapped in a bottom-up mindset. They constantly seek ways to justify the importance of cybersecurity to the business and struggle with issues such as their reporting line within the organization. Despite efforts to broaden acceptance of security measures, these approaches have often fallen short.
The author attributes this lack of progress to corporate short-termism and dysfunction. Endemic short-term thinking within businesses has hindered the effective implementation of cybersecurity measures. The article suggests that it is time to try a different approach to cybersecurity, moving away from the bottom-up mindset and seeking alternative strategies that prioritize proactive management decisions and long-term security.
In conclusion, the article argues that the traditional bottom-up approaches to cybersecurity have failed. The role of the CISO was not initially established based on a proactive decision to protect the business, and many security practitioners are still trapped in a bottom-up mindset. Collisions between bottom-up approaches and corporate short-termism have hindered progress in cybersecurity. It is suggested that a new approach is needed, one that prioritizes proactive management decisions and long-term security.