The Rise of “Pragmatic” Cybersecurity: A Double-Edged Sword?

In the ever-evolving landscape of cybersecurity, terminology often shapes the strategies and policies that organisations adopt. Recently I have heard the term “pragmatic” being increasingly used among leaders when discussing cybersecurity and I even use it myself in my LinkedIn profile and CV. But what does this shift in language signify for the security posture of organisations, and what does it mean for the role of Chief Information Security Officers (CISOs)?

Unpacking “Pragmatic” Cybersecurity

The allure of being “pragmatic” in cybersecurity often revolves around the concept of balancing security needs with business functionality. Leaders advocating for pragmatic approaches typically emphasise efficiency, cost-effectiveness, and minimal disruption to business operations. In theory, this approach seems rational and appealing, especially in a business environment that prioritises agility and profitability.

However, my growing concern is that the term “pragmatic” may be increasingly used as a euphemism for cutting corners in cybersecurity efforts. This interpretation could lead organisations to prioritise short-term gains over long-term security resilience, potentially exposing them to increased cyber risks.

The Plight of CISOs in a “Pragmatic” Environment

For CISOs, the shift towards a more “pragmatic” approach can be particularly challenging. Traditionally tasked with safeguarding organisational data and systems from cyber threats, CISOs find themselves conflicted. On one hand, there’s a need to align with the broader business strategy and support organisational growth. On the other, there’s an inherent duty to advocate for robust security measures that may sometimes conflict with other business interests, especially in an increasingly regulated business environment where CISOs are now at risk of prosecution if a cyber breach materialises.

In environments where pragmatic approaches are interpreted as doing “less” security, CISOs advocating for comprehensive security measures may find themselves sidelined. The implication is stark: if a CISO pushes back against the grain of cost-cutting or streamlined security measures, their position and influence within the organisation might be jeopardised.

Evaluating the Consequences

The potential consequences of a misinterpreted pragmatic approach are significant. Reduced security measures can lead to vulnerabilities, making it easier for cyber attackers to exploit organisational systems. This not only poses risks to data security and integrity but can also lead to substantial financial losses and damage to reputation.

Furthermore, a culture that marginalises CISOs for advocating strong security practices could lead to a degradation of the cybersecurity posture. It also sets a precarious precedent that security can be compromised for the sake of other business objectives.

A Call for a Balanced Approach

To address these challenges, it’s essential for organisations to adopt a genuinely balanced approach to pragmatic cybersecurity. This means:

Clear Definitions: Organisations must clearly define what “pragmatic” means in the context of their cybersecurity strategies and to set clear red lines or “we will never” boundaries. It should not be an excuse to underfund or deprioritise security but a strategy to integrate security seamlessly with business operations.

Inclusive Decision-Making: CISOs should be integral to decision-making processes, ensuring that security considerations are woven into the fabric of business strategies.

Continuous Risk Assessment: Adopting a pragmatic approach should involve continuous risk assessments to align security measures with the evolving threat landscape and business needs.

Education and Awareness: Educating other leaders and stakeholders about the critical role of robust cybersecurity measures in protecting and enhancing business value.

Conclusion

While being pragmatic is essential in business, it’s crucial that this pragmatism does not translate into compromised security. Organisations must ensure that their approach to cybersecurity remains robust, adaptive, and fully integrated with their overall business strategy. For CISOs, it’s about striking the right balance between being a strategic enabler and a guardian of the organisation’s digital frontier. Leaders must recognise the value that CISOs bring to the table, not just as protectors but as key players in the long-term success and sustainability of the business.