Subscribe
Share
Share
Embed
The Build a Vibrant Culture Podcast explores the real-world strategies behind building strong work culture, improving organizational culture, and leading with clarity in today’s fast-changing business environment.
Hosted by leadership expert Nicole Greer, this podcast features conversations with business leaders, executives, and entrepreneurs who are shaping modern business culture through effective communication, leadership development, and intentional management practices.
Each episode delivers practical insights into leadership and business, including topics like team communication, project management, career growth, and creating workplaces where people perform at their best.
You’ll gain actionable tools, frameworks, and leadership skills you can apply immediately through coaching concepts, real-world examples, and professional development strategies, whether you’re a manager, executive, business owner, or emerging leader.
If you're looking for guidance on building a thriving organizational culture, improving communication, or advancing your leadership career, this podcast is designed for you.
Learn more about training, coaching, and courses at https://vibrantculture.com
Connect on LinkedIn: https://www.linkedin.com/in/build-a-vibrant-culture-nicole-greer/
For speaking inquiries: https://vibrantculture.com/speaker-kit-request/
Download our training catalog: https://vibrantculture.com/catalog-request/
Want to be a guest? Send your request to podcast@vibrantculture.com
JC Gaillard Episode
[00:00:00] Nicole Greer: Welcome everybody to the Build A Vibrant Culture podcast. My name is Nicole Greer and they call me the Vibrant Coach. I have another amazing, vibrant guest on the show today, and he is all the way from across the pond. I have JC Gaillard with me. He is the founder and CEO of Corix Partners, a UK-based boutique management consultancy firm, and a thought leadership platform focused on assisting CIOs and other C-level executives in resolving cybersecurity strategy.
[00:00:32] Nicole Greer: And it is a thing. Organization and government, governance challenges. He is a French and British national and he is leading. He is a leading strategic advisor and a globally recognized cybersecurity thought leader, with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track record at driving fundamental change in security field across global organizations, looking beyond the technical horizon into strategy governance,
[00:01:04] Nicole Greer: culture, don't miss that, and the real dynamics of business transformation. And look what he sent me all the way from the UK. He is got two amazing books. The cybersecurity spiral of Failure, which we're gonna focus on and maybe we'll get to this one. The first 100 days of the new CISO. There's lots of applicable things in here for all of my HR people that are listening.
[00:01:29] Nicole Greer: And of course the leaders. Welcome to the show, JC.
[00:01:33] JC Gaillard: Many thanks for inviting me, Nicole. I'm very happy to be with you and I'm looking forward to this discussion.
[00:01:39] Nicole Greer: Yeah.
[00:01:39] JC Gaillard: about culture. It's not about tech. It's not about tech. It's not about tech or not just about tech. That's what we're gonna be talking about.
[00:01:47] Nicole Greer: Yeah, absolutely. And everybody listening, could you just listen to JC talk for about 10 hours? I love his accent. Oh my gosh. All right, so the first thing we wanna talk about, is, is the fact that, you know, if we're going to be talking about cybersecurity, the one of the main keys points in your book is that this is not just for the chief information officer.
[00:02:07] Nicole Greer: This is, this is for everybody. Well, how is it everybody's responsibility to be thinking about cybersecurity?
[00:02:14] JC Gaillard: The thing is, you know, cybersecurity has been around for the best part of the last 20 or 30 years in one shape or another. Okay. A good practice in, in that space. Has been structuring itself for the past 30 years, for the past 10 years of the century. You know, we were looking at it from a compliance angle.
[00:02:32] JC Gaillard: It was pretty much about you know, low probability, low impact type of events. And it was just about putting tick, putting ticks in boxes on compliance forms and that's what it was about. And then when we turned into the second decade of the century, things started changing. With the advent of the cloud, you know, mobile devices, and we've started to see all sorts of cyber attacks developing in all sorts of different ways.
[00:02:58] JC Gaillard: And that trend has continued and is now accelerated with AI and everything we're seeing. So all in, all, you know, if you want, if I look at the dynamics at board level the things that have changed a lot over the past. Over the past decade, if you want the people at the top of the organizations, they know it's a matter of when, not if, you know, they know about cyber, they hear about it all the time.
[00:03:21] JC Gaillard: And is that culture we are now seeing effectively developing across any large organization. It's about when not if. Therefore it becomes everybody's problems in a way in, in that sense. And the guys at the top of the, of any large organizations, they know it, they know it's all about it. It's all about when it's going to happen.
[00:03:39] JC Gaillard: We've moved past that risk culture if you want. It's no longer about risk. It's about resilience and that becomes everybody's problem. I think that's, that's what I'm trying to to develop in the two books you've mentioned. Actually it's part of a series of three books. There is another one, the Cybersecurity Leadership Handbook for the CSO and the CIO, which is essentially a compilation of articles.
[00:04:05] JC Gaillard: I started writing around 2015. I realized around 2017, 2018 that I had enough to put in in, in, in a book, and I compiled all my articles into the Cybersecurity Leadership Handbook, and then the Cybersecurity Spiral Failure came later. It's effectively designed as a management summary, if you want, for the Cybersecurity Leadership Handbook, and then the first hundred days, which you showed.
[00:04:29] JC Gaillard: Thank you, which is the last
[00:04:31] Nicole Greer: You're welcome.
[00:04:32] JC Gaillard: The last book that I released earlier, la late last year, sorry. And it expands on one section in the handbook which is precisely about the first hundred days of the incoming CISO, the chief Information Security officer. And I'm trying to look at it from a leadership angle and analyzing what are the dynamics in those first hundred days that are going to make you successful.
[00:04:54] JC Gaillard: because what we are seeing quite a lot in the cybersecurity industry is CISO chief Information Security officers changing jobs quite often. It's part of, it's one dimension of that spiral of failure. The short tenure of the CISO is the fundamental cornerstone of the problem here. You know, they stay two or three years in the same jobs and then they move on.
[00:05:14] JC Gaillard: You achieve very little in two to three years in large organizations because they're just too complex. They're inherently siloed. They're inherently territorial, political, driven by personalities. Two or three years is nothing. It's, you know, you don't achieve anything transformative. And that's the cornerstone of long-term stagnation, in my view.
[00:05:33] JC Gaillard: So the books are linked in that way. I'm sorry, I'm talking across purposes here. I hope I've answered your question. Sorry.
[00:05:40] Nicole Greer: You have answered my question. Yeah. So, he just shared the trajectory of what's happened and so I, I don't want you to miss, he said it's not if you're gonna get hijacked. Okay. Yeah. Your information. It's like when, and I can't mention clients' names, but in the, since 2007 when I started my business, two of my major clients have had incidents.
[00:06:03] Nicole Greer: In fact, I rolled up JC to deliver training with a client and I got stopped before I got into the parking lot and they said nobody can come in the FBI is here. I'm like the FBI and then he is like, yeah, the FBI is here. They're here. 'cause there's been a cybersecurity breach and we're not doing anything today.
[00:06:23] Nicole Greer: And actually the organization was being held hostage for a big price. And it was like we, the only thing we can work on today is getting control of our systems back. So, I mean, I was shocked. You know, because you just think this is the stuff that happens in movies or something, but it's for real.
[00:06:41] Nicole Greer: Right?
[00:06:42] JC Gaillard: this is the thing. It doesn't happen just in movies anymore, and it happens across all industries and it is truly disruptive when it happens. As you said, the, you know, ransomware attacks can take, can bring your business down and then what you do and it's all about for me, when I talk to my clients, you know, they know it's going to happen.
[00:07:02] JC Gaillard: They want to build that capability and the challenge is not so much to to know what to do because to a large extent, good practice around cybersecurity has been well established for the best part of the last 20 or 30 years. Okay, fine. The threats keep evolving, but fundamental good practice the basics of protecting your business, you know, good identity and access management, good monitoring of your systems, good endpoint protection, you know, the protection of your laptops, of your end devices, all those basics
[00:07:36] JC Gaillard: done well, deployed properly across the real depth and breadth of the enterprise. They protect you and they give you a degree of compliance with most regulations. So, you know, the problem is not so much what to do in many firms, but how you do it, making it happen. And execution, execution, execution.
[00:07:58] JC Gaillard: And if you never go beyond the quick wins, if you never go beyond, you know, the low hanging fruits in every project, you start in that space, you will never build maturity. And ultimately what we are seeing here, which is the real root cause of the spiral of failures we've been talking about is business short-termism.
[00:08:18] JC Gaillard: It's the endemic short-termism of many business leaders. You know, never looking beyond those quick wins. Never looking beyond those low hanging fruits, deprioritizing cybersecurity initiatives. The first you know, as soon as, as soon as you can, you know, as soon as you've put that tick in that box, as soon as you, you know, as soon as you've got the right excuse to do it, you deprioritize cybersecurity initiatives to do something else.
[00:08:45] JC Gaillard: It creates frus frustration. It creates the context in which the short tenure of CISOs is rooted, and that's how the spiral gets going. You know, the CISOs never stay long enough to achieve anything. At best, they start implementing something, then they leave leaving everything have done.
[00:09:03] JC Gaillard: And you've got that monumental amount of technical debt that's been piling up over the past 20 years. In many organizations, everybody becomes complex. Security operations become extremely expensive because of that accumulation of tools impossible to scale because never has, never nothing, has never been designed.
[00:09:21] JC Gaillard: You know, with any kind of over, over overarching architecture in mind, everything is disjointed. Your security operational processes are all manual because that's the only thing you can do to glue things together. It's impossible to scale because it would necessitate an amount of manpower you just cannot find these days because.
[00:09:43] JC Gaillard: Everybody has woken up to the same problem. So everybody's stepping into the same pool of cyber resources, which has not grown sufficiently fast. And you end up, you can see the way the problem snowballs into something unmanageable. Cybersecurity becomes a cost. It becomes a problem. And you can see the way distrust breeds effectively between the security teams and the top execs because the top execs.
[00:10:08] JC Gaillard: Keep seeing CISO after CISO coming in, asking for more millions you know, with a grandiose transformation plan, and then leaving after a few years, leaving everything have done. And you can understand where the distrust comes from here between the guys at the top and the security people.
[00:10:26] JC Gaillard: And that's the spiral of failure, effectively, what I've been talking to you about and the many, many organizations are stuck in that. Okay, so how do you break, how do you break out of it? That's a question for later, I suspect.
[00:10:39] Nicole Greer: Yes, yes. But I didn't want you to to slip right past what you said about it's all the way from this very high level strategy that could be millions of dollars. That's what I think I heard you say. But then also all the way to the front line to the people that are getting the laptops. Right. And I think that's where a lot of my learning and development and my human resource people, they are onboarding, orientating employees.
[00:11:04] Nicole Greer: And so having a great awareness about cybersecurity and its importance, we need to work it into our onboarding. We need to work it into our orientation. We need to have policy, we need to have procedure and for our learning and development teams training needs to be developed and it's kind of the preventive maintenance that we're doing on our cyber cybersecurity that keeps us in place.
[00:11:28] Nicole Greer: So there's a really high level, you know, I won't probably try to understand it or understand it, how to keep cybersecurity in place at that high level, but you know hitting where the rubber meets the road, we've gotta get people aware of what's going on out there. Right. So some companies do that really well and some companies aren't doing it at all, to your point.
[00:11:46] Nicole Greer: Right. Okay. So how do we get something great in place? In your book, you talk about only a cultural shift across the boardroom can move the needle. Yeah. So what, you know, when we build a vibrant culture, cybersecurity is part of this vibrant vibrant culture, like we've gotta have it in place.
[00:12:08] JC Gaillard: Yeah, you've just mentioned security awareness and I think it, it's absolutely typical of the kind of situation we're going to be talking about. You know, you don't build a security culture by deploying courses or, you know, or telling people what to do. Okay. It, it's about, it's really about influencing, it's really about embedding business protection values from the top in the culture of the firm. Okay, let's forget security. Forget cyber. Forget everything. It it, it's about business protection ultimately. You've got bad guys out there who can cause you harm, and, and, and the, the, from the top,
[00:12:46] JC Gaillard: everybody across the firm needs to understand that this is serious, that this is taken seriously by the guys at the top. And that it just needs to form part of that shared set of values. You know, the, the people working across the firm have to have to share, and, and that, that, that's, that comes from the top.
[00:13:06] JC Gaillard: And that's what I meant about, you know, about the, you know, the, a shift, a shift from the top to, to move the needle. The guys at the top of the firm, effectively top execs, board members, have to understand that they have to embed those values in the way they. They talk in the way they address the staff and they, ideally, I think it's going to have to evolve towards having some form of cyber resilience officer at the top of the firm.
[00:13:37] JC Gaillard: Chief Resilience Officer, chief Trust officer. There are many of those terms starting to appear, you know, in leadership circles and I think we're heading in that direction, but it needs to, those concepts. Business protection concepts have to be visibly embedded, embodied, even at the top of the firm, so that culture can then cascade through deploying courses left, right, and center telling people what to do.
[00:14:02] JC Gaillard: If they see constantly the guys at the top of the firm doing something else, that will never work. Okay.
[00:14:09] Nicole Greer: Oh yeah. And when I mentioned that I meant. You know, it comes from the top, but then I'm trying to apply it to what HR people might be responsible for on the end, right? So as it cascades and they have those values you know, we have to have that awareness that this is something that needs to be on the radar.
[00:14:26] JC Gaillard: It is really, it's really a matter of business protection values. It's really a matter of understanding that the threats are real and that the business, the large needs to be
[00:14:35] Nicole Greer: Absolutely.
[00:14:36] JC Gaillard: And it's all about the, you know, the guys at the top of the firm, the people at the board, top of the firm, really credibly, demonstrably constantly and consistently talking that language.
[00:14:50] JC Gaillard: Okay. It's and it needs to be it's, I think myself that we are going to have to move away from the type of organizations we've been building in terms of cybersecurity. For the past 20 years, I think that model has come to an end. You know, what we are expecting from CISOs today is probably totally unrealistic.
[00:15:10] JC Gaillard: You know, we have been amalgamating all sorts of responsibilities around that role, which are making the role literally impossible to carry, at least impossible to carry for the type of people. It attracts who are mainly technologists, if you want by background. 'cause if you look at the nature of the role today, one day you are expecting the CSO to be credible in front of the board.
[00:15:31] JC Gaillard: The next in front of auditors, the next in front of regulators, the next in front of developers, the next in front of senior IT management, the next in front of HR people. And. And the rest of the firm through awareness programs and the like, it's impossible. Those profiles don't exist. Okay. It's totally impossible to, they just don't exist.
[00:15:51] JC Gaillard: Or if they exist, they're so rare that, you know, it's probably, it's probably pointless to try to look for those kind of people. So. I think that construct has reached the end of its life, if you want. It has developed organically for the past 20 odd years, and now we are reaching the point where we have to think about where this is really going.
[00:16:11] JC Gaillard: And I think we need to split the role back to maybe what it should have been. You know, start to start with a technical role, focus on the protection of the technical assets and then the leadership role pushed up. And genuinely focused on the protection of the firm with Chief Resilience Officer is probably go starting to emerge.
[00:16:34] JC Gaillard: It's a good concept, I think, but you need to amalgamate the right kind of items if you want, in the portfolio to make it suitable and attractive as a genuine career step. For a genuine business person, this role cannot go to a technologist. It has to go to a business person, able to influence across the corporate silos, to influence across geographies and to also to influence across the boardroom.
[00:17:01] JC Gaillard: So it's it has to be seen as a genuine carrier step, not a dead end. I insist on that because very often, you know, there might be the temptation to give that job to somebody who has nothing else to do in the organization. And it, well, we know it happens. Come on. We know. We know it happens. To package, to package the portfolio in such a way that it becomes a genuine carrier opportunity, a genuine step on, on the ladder for an an ambitious executive, there are enormous opportunities to prove yourself in that space.
[00:17:33] JC Gaillard: You know, if you can sort those things out, if you can demonstrate that you can architect something meaningful to protect the business, in particular in large firms working across cybersecurity, but also privacy compliance, business protection business continuity, crisis management. If you can demonstrate your ability to lead across the business in that sort of space, you are gonna prove yourself and for, and, you know, you, you're gonna get noticed.
[00:18:01] JC Gaillard: Okay. And at that it's got to be packaged. And that's the way it's got to be sold to a genuine, ambitious business, ex business exec, not to a technologist. I think we, we've passed that point. The technology parts have to revert back to technology and we have to start thinking how we architect business protection in, in, in a different way.
[00:18:22] JC Gaillard: I'm talking essentially for large firms here. Of course, I understand. In smaller firms it's more. It's different. The dynamics are different but the core of my client are large firms and that's essentially what I'm what the audience I'm talking to, if you want.
[00:18:37] Nicole Greer: Yeah. Yeah. I like how in your book you talk about three big mistakes that organizations make. And so I think this is a good check for people. You say downgrading it or downgrading IT, we have bigger fishes to fry, so they don't make this a priority. Number two, seeing IT as an IT problem,
[00:18:59] Nicole Greer: instead of IT and saying that IT is dealing with it. And then the third one is throwing money at IT. How much money do you need to get this fixed? Right? And so don't miss what JC is saying here, like, you know, we need to go find this unicorn. Who is gonna protect the business? Be it a business person who has a tech.
[00:19:20] Nicole Greer: People who can do the technical side of it, but somebody who can do the influencing, the persuading, the teaching, the instructing, and bringing everybody up to speed instead of maybe the C-suite thinking, just shove it over there. Like, it's gotta be brought into the everyday, into our decision making.
[00:19:37] Nicole Greer: So I, I like these three checks you've got.
[00:19:40] JC Gaillard: And I think the most important one is the last one. You know, thinking that you're gonna solve that problem just by throwing money at it. And that's a constant in the cybersecurity industry, that's a constant. Everywhere you look, you've got cybersecurity people complaining that, you know, they don't, they're not, they haven't got enough money.
[00:19:57] JC Gaillard: They budgets have been cut this and. And that and beyond. Beyond that, the fact that, you know how the board doesn't get it. Top execs don't get it. You know, we, you know, we don't have enough resources. We don't have enough resources. We don't have enough resources. You we, I've been hearing those complaints for as long as I've been involved in that space.
[00:20:14] JC Gaillard: I really think this is shallow and shortsighted. Nobody ask themselves the right questions. Nobody, nobody, a you know, large firms have been spending collectively billions and billions on cybersecurity for the last 20 or 30 years,. That's the reality. Nobody looks back.
[00:20:33] Nicole Greer: It needs to be in the budget.
[00:20:35] JC Gaillard: Yeah, nobody looks back asking. What's happened? Okay. You know, why are we still here? Why are we still seeing that, that nonstop avalanche of cyber attacks what's happening here? Nobody looks back at where the roadblocks have been that have prevented progress. And that's the fundamental problem here. That's the fundamental problem the industry has.
[00:21:00] JC Gaillard: Okay? And that's the starting point of my own journey here, to be honest. That's the starting point of my own journey in terms of writing in particular because I, you know, the first part of my career as I, as you said in the introduction I'm French and British. I've been living in London for best part of the last 30 odd years.
[00:21:18] JC Gaillard: I've relocated to France last year, but that's a different story. But overall. When I start, when I moved into consulting and created what eventually became Coex Partners around 15 years ago, I was absolutely shocked by what I was seeing in, in, in large firms, okay? Large firms that would've had cybersecurity functions in place for.
[00:21:42] JC Gaillard: A decade or more large firms that would've been sending those execs to conferences to lecture the world on, you know, how to organize or how to run your cyber security function, so on. And then one day you get called in, you know, you get, you get called in by a, a new CIOA, a new top exec. You know, generally somebody I've been working before and so on, and one day I get called in and I, I get to look around and to look under the carpet, and you, you say, oh my God, you know, and you look at the mess, the mess those guys are in, and you have to ask yourself that question.
[00:22:15] JC Gaillard: You cannot just accept this is just all because threats evolve too quickly, or threats evolve. Evolve faster than large organizations can deploy defenses. The problem has to be more complex than that. You have to look back at where the roadblocks are. What has prevented those guys to make more progress because again, good practice has been in place for the best part of the last 20 or 30 years.
[00:22:35] JC Gaillard: Okay, so. That has, that has to be part of the ref, the reflection. That, that's one part of the reflection the industry is not making, that's one part of, you know, introspective, you know, analysis. The industry is not really is not really making or at least not deep enough. And when you do that, what you find, where you find cultural and governance problems, of course, and that's taking us back to business short-termism and to the fact that that fundamentally,
[00:23:04] JC Gaillard: it's the cornerstone of the spiral failure, never looking beyond quick wins. Keep piling up tactical solutions. Every time you want to close an audit point, every time you've got an incident happening somewhere or elsewhere, you know, you just, you know, you pile up tactical solutions.
[00:23:20] JC Gaillard: You keep buying more tools until frankly you realize that, you know, you've reached a level of complexity where you cannot operate anymore. And that's where I, I'm thinking, you know, the problem, this is no longer about throwing more money at the problem, you know, that's been tried and that hasn't worked.
[00:23:36] JC Gaillard: It's about rethinking organizational models. It's about rethinking how a different type of culture can be driven from the top around business protection, around resilience. Taking the problem up one level if you want.
[00:23:53] Nicole Greer: Okay. Yeah. And I love on page 38, you kind of take a spin on Peter Drucker's quote, he's so famous for. You say, "security, culture and governance eat tech for breakfast." So I love that reference. Okay. So what I'm hearing you say is we've gotta uplevel this whole thing, stop throwing money at it, and we have to have a new thinking about cybersecurity, a new strategy around it.
[00:24:17] Nicole Greer: And looking at these roadblocks, what are the roadblocks that keep showing up? You've mentioned it several times in that last little piece, you were like, you gotta look at the roadblocks. You gotta look at the roadblocks. So what are the roadblocks that we are not getting through?
[00:24:30] JC Gaillard: The road the central roadblock of the first decade of the century is business short-termism, never looking beyond quick wins, just trying to put ticks in boxes and, you know, make the problem disappear every time something happens, every time you've got a new audit point, every time you've got a non, a, non a forthcoming regulatory investigation.
[00:24:54] JC Gaillard: You know, just making the problem disappear by the next tool that's going to put the tick in that box. That that's the main problem that's been plaguing the industry for the past for the past 10 or 20 years. And of course here you can see why we are entering. Well, there is not a dimension of the problem which starts to appear here is that of course, you know, you cannot expect security vendors.
[00:25:18] JC Gaillard: To not to play along. It's the, it's their it's their the business effectively. You know, they want you to buy the boxes and the software and the services. So they've been massively encouraging that kind of that kind of culture, because it's just in. Plenty and simply in their interests.
[00:25:35] JC Gaillard: Okay. And that and that, that's another dimension of the problem here is that the narrative across the cybersecurity industry has been massively dominated by the vendor's narrative. And they have no other interest but to sell you their stuff. Okay? And that's just the way it is. But that's not helping the industry move forward.
[00:25:54] JC Gaillard: That's not helping the industry move forward, period. And and that's also, something collectively the cybersecurity industry needs to to think about, you know, how do you free yourself from that kind of from that kind of narrative? How do you look beyond it?
[00:26:09] JC Gaillard: Because it's, it, you can, you know, large organizations currently operate their cybersecurity operations across anything from 20, 30, 40 different tools. Okay. Of course it's very good for vendors. But think about the complexity it creates from a, from an incident response perspective, for example, okay, you've got, you've got a data breach somewhere.
[00:26:35] JC Gaillard: You're a security analyst, you're working in a security operation center. You need to understand what's going on. Now you have to go and collect data from 3, 4, 5, 6, 7 different tools just to try to figure out what's actually going on. Then you need to some somehow analyze that data. To be honest, very often it ends up in Excel because that's the quickest way to get going, right?
[00:26:59] JC Gaillard: And then you need of course to take action, figure out what's happened, what hasn't happened, the nature of the problem, the scale of the problem, what you are going to do next. But all that is extremely manual, extremely labor intensive. Of course, AI is helping. It's starting to help in terms of automation around the things I've been talking about.
[00:27:20] JC Gaillard: But we are at the beginning to an extent. And also AI has given attackers much more powerful ways to engineer their attacks. So it's you've got that that those two sides of the same coin. If you want. We have to, we have to to bear in mind. But e essentially that's the that's an important dimension to bear in mind, I think.
[00:27:41] Nicole Greer: Yeah. Well, you know, I've got quite a few leaders and HR professionals listening to this podcast. And in chapter three, you talk about the consequences on operational security and talent retention. And you go on to say that there's a real life take on the cybersecurity skills gap. So as I've got people thinking, you know, gosh, who would I get and who would I buy this book for in terms of talent, right?
[00:28:10] Nicole Greer: So, how do I find the right CISO and what's the truth about finding a great person?
[00:28:16] JC Gaillard: The reality is that it's a difficult question. Okay. It's a difficult question. You have the one we need to go back a little bit to the history of cybersecurity as we've been we've been touching
[00:28:29] Nicole Greer: do it.
[00:28:30] JC Gaillard: We've been touching upon it earlier, and we're going just to go to, to go back to something we've said earlier.
[00:28:36] JC Gaillard: If I look back when I started in, in, in information security as it was 25 years ago when I was going to conferences in the room, you had big banks, big pharma, oil and gas, okay. Give or take.
[00:28:50] Nicole Greer: Yep.
[00:28:51] JC Gaillard: And that was it. I'm not caricaturing that, that, that was it. Of course, when you move onto the second decade of the century, as I've been saying, with the advent of the cloud, with the advent of massive data breaches, you know, across a number of industries, the entire economic spectrum has woken up to to, to what cybersecurity means.
[00:29:13] JC Gaillard: Okay. Now effectively everybody's stepping into the same pool, looking for the same resources. Okay. And that pool hasn't grown sufficiently. So you have a genuine problem in terms of of skills gap. Okay. A genuine problem in terms of shortage. And it's not just because we haven't increased the pool sufficiently fast. It's because
[00:29:36] JC Gaillard: it was blatantly impossible to increase the pool sufficiently fast because every single industry sector is now looking for cybersecurity specialists, okay? And it's an industry that is very young, okay? For example you I keep coming across I keep coming across job descriptions, asking for 10 years of experience for entry level jobs, but that's just silly.
[00:29:58] JC Gaillard: It doesn't make sense. Okay? 10 years ago, the industry was in a completely different shape. Okay. You, you need to, so there, there is a lack of realism here, which I think your HR auditors and listeners need to understand as well. You've got to understand the state of the cybersecurity industry and the fact that it's a fairly young field.
[00:30:17] JC Gaillard: Okay. But broadly speaking, there is a very significant shortage of skills. And that's making it very difficult to to find the right people. Also asking for industry specialism. You know, again, 10 years ago, 15 years ago, many industry didn't have a clue about all this. Okay? So you know, where are you gonna find somebody who has, was 10 or 20 years experience at a certain level in a certain industry, in cybersecurity, they don't exist.
[00:30:45] JC Gaillard: Okay, so you end up building, you end up looking for profiles that are just not there. Okay. So it's your answer, your question was, you know, how do we go about some you were talking about the real life check on, on and that, that article in in, in, in the spiral of failure.
[00:31:02] JC Gaillard: So the message I'm. I, I'm pushing if you want in that article is the fact that we need to make the cybersecurity industry more attractive. That's the first thing. And to make it more attractive, you have to play at the number of levels we have. It's not just about training more people, it's not just about courses.
[00:31:20] JC Gaillard: It's not just about higher education, you know, training more people. It's also about making the industry itself more attractive. There is a massive problem of diverse, of diversity as well in the cybersecurity industry
[00:31:31] Nicole Greer: Oh, I'm sure.
[00:31:33] JC Gaillard: As well as the tech industry at large. It's mostly male dominated, to be honest.
[00:31:38] JC Gaillard: So it's also about making it attractive to a larger population of people, you know, across a more diverse spectrum of of the population. And it goes by again re looking back at the narrative, looking back at what we are what we are selling to people when we talk about cybersecurity and making it clear that no, this is not just about, you know, a guy in a hoodie in the basement.
[00:32:03] JC Gaillard: Okay. You know, it's not just about padlocks, it's not just about encryption. It's not just about firewalls or whatever else. Okay. No, there are all sorts of roles you could imagine around cybersecurity from training roles. We've mentioned awareness and so on, all the way up to compliance related roles audit roles, and so on and so forth.
[00:32:23] JC Gaillard: There is a very broad range of roles here. It's not just about about bits and bytes. It's not just about you know, security operations analyst roles dealing with incidents day in, day out. It's, we need to portray that diversity. We need to make it look more attractive by moving away from the padlock type of visual, which is dominating the industry, which is really annoying, to say the least.
[00:32:51] JC Gaillard: And and we need to make it look we need to make the industry more attractive and open up. Open up. Showcase better the diversity of roles. And try to open it up to a broader and more diverse cross section of of of the population really. Now that's the story I was I was advocating at the time the article was written.
[00:33:12] JC Gaillard: 'cause ultimately the spiral of failure is also a collection of articles. It's the same, it's really a management summary of this cybersecurity leadership handbook. So it's the same content packaged differently around the different narrative, but effectively the content of the spiral of failure
[00:33:26] JC Gaillard: is also a combination of articles in many ways. So the, that piece was written probably 5, 6, 7 years ago. Main problem we've got here in what I've been telling you is that you probably know it and your audience certainly knows it. We have a ma a major problem around entry level jobs.
[00:33:46] JC Gaillard: Okay. At the minute. AI is making them disappear very fast. So that's a, you know, and it's true across the cybersecurity spectrum as it is true, you know, across the entire industry spectrum. Where are we going to train train young people now you know, if we are automating entry level jobs in cyber, like anywhere else, you know, what's going to happen with those young, you know, young people? Where are they going to learn? What are they going to learn with, you know, it's all the language that consists of saying, oh, well, you know, it's all about orchestrating agents and this and that. Well, when do you get the knowledge to do that?
[00:34:22] JC Gaillard: How do you build the knowledge to do that? Yes, it's fine. The enterprise is going to become agentic. Fantastic. Great. Probably true. That's the, that's not the debate but, and yes. You know, we need to engineer the human in the loop component. Yes. We need to know how to orchestrate agents better.
[00:34:40] JC Gaillard: We need to build the right type of governance layers around all this. Absolutely. Right. Where do you get the knowledge to do that? How do you build up the knowledge to to do that? And so I think I think those issues affect the cybersecurity industry in the same way, the effect the, you know, the economy at large.
[00:35:01] Nicole Greer: Yeah, absolutely. So we got a lot of work to do and I'm not sure that our, I. What is your experience with our universities? Are they ready to train people? Are they ready to you know, maybe even at the community college level, we hear have here in the states at the undergrad level, at the master's degree level how are our learning institutions helping us?
[00:35:22] Nicole Greer: With this lack of education getting our AI in place. You know, JCI went up about a month ago to Chicago 'cause I was a little panicked. I'm like, I don't know that much about ai. I'm fiddling around with chat. That's it. You know, so like, I gotta go, I gotta go get myself educated to your point.
[00:35:40] Nicole Greer: And so I went and took a course, four day deep dive. You know, it was a lot. And you know, you're talking about, you know, it's going to be agentic, you know, you're gonna be using agents or whatever, you know, like, I learned how to do that. I would have to go check my notes right now to figure out how to put one in place.
[00:35:58] Nicole Greer: You know, it's a huge learning curve that we all have to go through. So it's kind of like a lot of things are hitting us. We've got AI hitting us, cybersecurity is changing. We need more of a business person in this role. We don't have enough people to do cybersecurity. This is like a hot mess.
[00:36:15] Nicole Greer: Is it a hot mess?
[00:36:17] JC Gaillard: it's one way to put it there, but it is, it is. Yes, it is, it is it is very challenging for, for, for, for large firms. I, I. don't want to paint a picture that is that, that that is too dark because many large firms are doing well.
[00:36:33] Nicole Greer: Show us the light. Show us the vibrancy.
[00:36:35] JC Gaillard: what, what, what I was trying to say is, is many large firms are doing well.
[00:36:39] JC Gaillard: I, I tend to have a distorted view of the industry because the people coming to me are people who have problems. Okay.
[00:36:45] Nicole Greer: Yeah.
[00:36:46] JC Gaillard: I do, I do tend to have a distorted view of the cybersecurity landscape. But still I think, you know, we've got a combination of factors here that are making the whole situation quite, quite complex and quite and quite sensitive. And this is really why I think it is time for the people at the top of the firm to really start owning it. Okay. It's no longer, it's certainly no longer a technology problem if it ever was.
[00:37:13] Nicole Greer: Right, right. Don't miss that.
[00:37:15] JC Gaillard: It needs to be it needs to be owned at the top of the organization.
[00:37:19] JC Gaillard: It needs to be owned at executive level. It needs to be owned at board level. Let's not, let's not simplify too much corporate governance. The board has a duty of oversight. The executives run the firm. Okay. The problem needs to be owned at both levels and and it needs to be owned seriously as a genuine business problem, not as a technology problem, as a genuine business problem.
[00:37:44] JC Gaillard: And it needs to be handled as a genuine business problem. It's doesn't make sense to look at it in any other way. It can take your business down period, you know? That that, that's the long and short of it, and it needs to be owned at at the top of the firm as that type of problem.
[00:38:04] JC Gaillard: Okay, fine. There are many other problems that can affect your business and. Yes. And that's the complexity, you know, at that level. And that's those guys' job Okay. To manage that complexity. And I'm saying that because, it is also about context. And we need to understand that we need when I say it needs to be owned at the top of the firm as a genuine business problem, of course, but in the context of the other business problems the business has, and yes, and there are massive geopolitical issues surrounding us.
[00:38:35] JC Gaillard: And yes. And we have been going through a period of you know, last five years that has been economically complicated. Yes, absolutely. And then on top of that, not all firms are doing well. And then on top of that, to be absolutely blunt with your audience, not all firms are well managed. Okay let's, let's be clear.
[00:38:53] JC Gaillard: And that's what I keep telling, you know, very often on those shows I, there is something I say, which I'm going to repeat now, which is, you know, you cannot expect cybersecurity to work well in a firm that doesn't. You cannot expect cybersecurity projects to deliver in a firm where projects don't deliver and nobody cares. You cannot expect cybersecurity governance to work well in a firm where corporate governance is completely dysfunctional and nobody cares as long as the money comes in every quarter and the numbers are good.
[00:39:24] JC Gaillard: If nobody cares beyond the bottom line and don't expect anything more complex and cross-functional to be driven and to be driven properly and to function. Okay. And I'm sorry, it has to be said. It has to be said.
[00:39:38] Nicole Greer: Yeah. And you know, well, you know, I'm sitting here thinking, you know, what is the board worried about? What is the C-suite worried about? You know? So like, number one, revenue, right? Like, what's everybody worried about? So what JC is like saying here with a lot of passion, by the way, right? Is he saying, you know.
[00:39:56] Nicole Greer: Revenue's important, but cybersecurity is right up here with it, right? Because your revenue could go out the door. If you don't have your cybersecurity in place, you can get held hostage. They can ask for a ransom. There's a thousand things that could happen. So, I'm hearing you loud and clear.
[00:40:11] Nicole Greer: This podcast is like a wake up call. Wake up everybody!
[00:40:14] JC Gaillard: I've got a good I've got a good business contact and business friend who says, when, who says, you know, the, at the at the top of the firm, they care about three things. One, make money,
[00:40:25] Nicole Greer: Right,
[00:40:26] JC Gaillard: one make money. Two, don't lose money.
[00:40:30] Nicole Greer: right.
[00:40:31] JC Gaillard: Three, don't go to jail.
[00:40:34] Nicole Greer: Oh, that's a good one.
[00:40:36] JC Gaillard: And, and, you know, cybersecurity helps with the last two. Let's put it this way.
[00:40:44] Nicole Greer: Oh, okay. All right, well tell, well connect the dot for me going to jail and cybersecurity.
[00:40:52] JC Gaillard: Regulation reg regulators.
[00:40:54] Nicole Greer: Ah, okay.
[00:40:56] JC Gaillard: Okay. The regulators are obviously all over cybersecurity issues. And that's not going to stop. It's been increasing steadily for as long as I've been involved, and that's not going to stop. Actually, regulation is a market mechanism. Okay? It's, it's there because, you know, to read to redress a situation which is not functioning well and, and, and the regulators are all over those topics. Okay. And increasing. And they're gaining more and more powers and investigator powers. And ultimately you know, yes, you could end up in pretty serious trouble, I think in, in, in some jurisdictions for negligence, effectively for failing to address the risk properly.
[00:41:37] Nicole Greer: Yeah, and correct me if I'm wrong, I could be wrong. I'm trying to connect the dots here, but also if I'm sitting here and I'm a Chief Human Resource officer and I'm gonna hire new council, I mean, I need to make sure my council has some kind of background on cybersecurity or understands a little bit about it, or is willing to learn. Or make it a priority, right? Like don't go to jail. Hello?
[00:42:02] JC Gaillard: Willing to learn or willing to seek advice from experts. You know, at board level in particular, bringing independent experts or independent directors with those type of skills with that type of expertise is pretty common. You cannot expect the board to be to be fully conversant on every single topic that may come about.
[00:42:23] JC Gaillard: Okay. So bringing independent experts, bringing independent directors with the right sort of background is pretty common, and that's also worth bearing in mind. It's not it's not illegal. Certainly not, it's not shameful. I mean, it's just the way you work at that level.
[00:42:39] Nicole Greer: Yeah. Well, for years I've been hearing and, you know, and in my own studies, you know, there, you know, the world is used to be full of generalists and you know, you'd go to, you'd go to your general practitioner, to if you had a health problem and now you can go to people who are, you know, have a specialty in hands, in fingers and ears and whatever.
[00:43:02] Nicole Greer: Right. You know, so, it's a, it's, you need to be surrounded by experts that are in all different things. And I bet cybersecurity has all sorts of areas of expertise. Is that true? Like, I'm an expert on this area of cybersecurity. I'm an expert on that. Is there different areas that people have expertise in?
[00:43:19] JC Gaillard: No cyber is, yeah, as you said, there are people who have throughout, throughout your career, across the field, you develop specialties in this or that and is absolutely knowledgeable
[00:43:28] Nicole Greer: Yeah. Yeah. Very good. Okay, here's what we're gonna do. I wanna ask you one last question, but I do wanna show everybody again, the two books that JC has put together. And again, I love his energy because he's like, hello, hello. Wake up everybody. this.
[00:43:46] JC Gaillard: Go ahead.
[00:43:46] Nicole Greer: This book, this book is the cybersecurity spiral of failure.
[00:43:50] Nicole Greer: So this, this is an educational thing for you to understand cybersecurity as best you can, right? Listen to this again after you read it and get familiar with what the true thing is. And so what I hear JC saying is that we've got to put somebody in the C-suite who is a business person that understands this, right?
[00:44:11] Nicole Greer: We just don't give it to the IT guys. Okay. And then the other thing is, is don't miss this. Let's say you've got cybersecurity people on your team, or you have an IT team, this would be a great buy for everybody on the IT team, right? It's like, somebody needs to be the chief information security officer.
[00:44:30] Nicole Greer: Did I get it right?
[00:44:32] JC Gaillard: Yeah.
[00:44:33] Nicole Greer: Okay. Yeah, so, you know, like we need to evolutionize and upskill the people that we have because long term this is, this is the thing. So I, I think this is a great educational point for all of us that just think, I, as JC has said, IT has got it. They're working on it, but we all need to be working on it.
[00:44:54] Nicole Greer: All right. Now the last question I have for you is, I, and it always comes back to this jc, it always comes back to trust. It always comes to trust. And the very end of his book, he says the three lines of defense model only works on trust. And so that's why you have to have this business person that can persuade, that can negotiate, that can educate the board and everybody.
[00:45:19] Nicole Greer: Talk a little bit about trust. Let's finish there.
[00:45:23] JC Gaillard: For me, this is of of the book where I'm I'm reflecting on what I've been talking, what I've been calling the bottom up culture. And the fact, the fact that for the past 20 years we've been trying to push a narrative up towards top execs. We've been thinking, oh, they don't get it. We, they, we have to explain to them what cybersecurity is.
[00:45:46] JC Gaillard: They have to be convinced, they have to be convinced by facts and numbers. We've been pushing a narrative which is effectively a rational narrative. Bottom up, you know, from the tech layer up towards the exec layer. We've been trying to build up a rational narrative. We've been thinking that it's all about return on investment.
[00:46:04] JC Gaillard: It's all about numbers. It's all about facts. It's all about a rationale around cybersecurity. They, they need to be explained what it is, and they need to un understand it rationally. That's a complete mistake in my opinion. Decisions are not made in that way, at that level. First of all. That top, bottom down narrative has been bumping across a whole layer of cognitive biases.
[00:46:29] JC Gaillard: Okay. And, and you don't disrupt cognitive biases through rational thinking. Okay. And that's what many people have been failing bottom up thinking that it's all about numbers or it's all about ROI. Well, not really. It's and, and less and less. Okay. Less and less because the guys at the top, they know what cyber is, they hear about it all the time.
[00:46:52] JC Gaillard: Okay. And I've had many discussions with CIOs in particular, in part in particular, where they were telling me, you know, I could spend as much as I like on cyber, or I could put any number I like in my budget on cyber, but then I need somebody to deliver. I need to get things done. And that's where the trust concept comes, because when CISOs are telling me, oh, my, my, the board doesn't get it.
[00:47:16] JC Gaillard: You know, my budget has been cut, you know, I'm struggling to get more resources and so on. I don't see them asking themselves why. Okay. And, and because the real issue here is that that gap that, that, that distrust that has set in over time. Okay. And for me, this is really the most important thing you need to repair in that relationship. Okay. Rebuild trust, and you rebuild trust by focusing on execution, execution and execution. You know, delivering, delivering, delivering, delivering with what you've got, building it up little by little, showcasing what you do, showcasing that you're safe, and listening. Listening and listening to the stakeholders and
[00:47:56] JC Gaillard: really doing what they want you to do. And very often, you know, and that's what something I develop in the first a hundred days which is true probably for many execs, but you know, what, what can I do for you? Right? How can I help you? That has to be the first question you ask stakeholders. You know, what do you want from me?
[00:48:17] JC Gaillard: How can I help you? Okay.
[00:48:19] Nicole Greer: Yeah.
[00:48:20] JC Gaillard: That has be, that has to be the question. And then building up, co-constructing the security narrative, the security strategy with the stakeholders based on what they want, not based on what you want. Not thinking, you know, best, not thinking that you know, what has worked elsewhere will work here.
[00:48:37] JC Gaillard: Listening. Listening, listening, co-constructing. And in that way you build trust. And trust will carry you through. Because if you demonstrate your ability to think strategically alongside your peers, to listen to co-construct, as I keep saying, and you will be seen as one of their peers, then you will be invited at the at the strategy table.
[00:48:57] JC Gaillard: Okay? If you are seen as a strategic thinker, if you focus on tactical and technical things, on quick wins, on firefighting, you'll be seen as firefighter. Good. Very important, firefighters. Essential, very important, but rarely invited to talk about strategy. Okay. And then you, and then you will wake up a number of years in the job realizing that
[00:49:21] JC Gaillard: yes. Okay. You know, you are not engaging with the top execs in the way you would like to. And it's not about complaining, it's about looking back, understanding what you've done and not repeating the mistakes. And that's what the first a hundred Days is about. That's really about helping incoming CISOs or people who have been in a CISO job before where it hasn't worked so well, helping them not repeat the same mistakes again.
[00:49:48] Nicole Greer: Yeah, absolutely. Okay. Well, again, I'm just gonna say I love J C's accent. I love his passion and he is trying to help y'all if you'll listen. All right. So, here's what we want you to do. Go out and get the book, the Cybersecurity Spiral of Failure. So this will, it, it can act as kind of a primer to get your head in the game about what's going on with cybersecurity.
[00:50:11] Nicole Greer: And then if you've got a CISO, I like how he says it's a ciso. C-I-S-O, the CISO if you've got one of these on your team get this book for them. But then also maybe, you know, hand this out to the whole IT team give it to the CEO, the CFO, the COO, all the EIOs. And have them look at like, what do I need to do in order to do this?
[00:50:30] Nicole Greer: Because three things, we wanna make money, we wanna save money, and we don't wanna go to jail. All right? So don't forget that, that was my favorite quote of the whole thing. All right, so JC, if people want you to come and look at their situation or help them with what they need to do with cybersecurity.
[00:50:47] Nicole Greer: How do people find you?
[00:50:48] JC Gaillard: All the details are on Corix partners.com if they want to reach out. The books are on Amazon of course.
[00:50:54] Nicole Greer: Okay. Okay.
[00:50:55] JC Gaillard: Yeah, all the details on Corix partners.com. I'm always very happy to exchange with all your all your listeners that if they go onto the site, they will see there are all sorts of resources on the site.
[00:51:05] JC Gaillard: There is a blog, there is a, a podcast as well, which an audio podcast, which is not which is not running at the moment, which is typically running for six months of the year, more or less which has gone through six, six series. And there are all sorts of, videos and white papers on the site of as, as well.
[00:51:23] JC Gaillard: But you know, just they can reach out and I'll be delighted to to engage.
[00:51:28] Nicole Greer: Okay, fantastic. So don't miss that. Lots of goodies over on his website. Go check it out. The information will be down in the show notes. Would you do me a favor? Real quick, before you click off, will you go down and like, like this episode and leave a little love note for JC and myself and say that you enjoyed this episode of the Build A Vibrant Culture podcast.
[00:51:48] Nicole Greer: Thanks everybody for listening and I'll see you next week.