by Bharat Mistry
Humans are addicted to stories. But sometimes the stories we tell are overly simplistic. In cybersecurity, a recurring narrative is one of C-suite executives perpetually at odds with IT leaders. They’re disinterested in what the security team does, and release funds begrudgingly and often reactively once a serious incident has occurred. This leads to mounting cyber risk, and an increasing likelihood that the organisation will suffer serious reputational and financial damage stemming from future incidents—or so the story goes.
In reality, things are more nuanced, as new Trend Micro research reveals. And they’re far from beyond the point of repair. But closer IT-board engagement is a must if these organisations are to avoid the mistakes of the past and build a security-by-design culture that permeates enterprise-wide.
Digital means risk
We all know the story of the past two years. Mass digital investments in SaaS collaboration suites, cloud infrastructure and other tools helped to keep organisations operational when they needed it most. The money continues to flow today, as those same companies realise they must keep on pumping funds into digital to stay competitive amidst rising customer expectations. Gartner predicted public cloud spending growth would hit 23% year-on-year in 2021 and increase 20% this year to top $397bn.
From a cybersecurity perspective, these business decisions are loaded with risk if protections are not built into projects from the start. Our recent global poll revealed that of 90% of business and IT decision makers are concerned about the impact of ransomware. It also found generally poor levels of cyber-awareness among board members. Less than half (46%) of respondents claimed concepts like “cyber risk” and “cyber risk management” were known extensively in their organisation.
The landscape is changing fast
Yet things are not as bad as they seem at first glance. The largest group of organizations (42%) claimed they spend most funds on tackling cyber-attacks, rather than the usual business suspects of digital transformation (36%) and workforce transformation (27%). Half claimed they’d recently invested in mitigating the risk of ransomware attacks and breaches.
The truth is that many board leaders do understand the need for greater investment in security as a strategic growth driver. But they find it hard to keep pace with a threat landscape that moves at the speed of light. Vulnerabilities used to go months or years before they were exploited, for example, but today threat actors are working on exploits for bugs like Log4Shell within hours of their discovery. That makes the fast-changing risk landscape difficult to grasp for even tech-savvy C-suite leaders. As a result, cyber risk continues to be managed reactively, which puts the organisation perpetually on the back foot.
What happens next?
So where does that leave us? More regular engagement with the C-suite is a must. As it stands, only around half (57%) of respondents said they discuss cyber risks with the board at least weekly. When they do meet, IT leaders need to speak a language these executives understand, so they can calculate the potentially impact of a threat to the business and how to manage it.
Finally, it’s about sharing responsibility throughout the organisation. The largest number of survey respondents argued that the buck should ultimately stop with the CEO, while sizeable minorities also said that roles such as CFOs (28%) and CMOs (22%) should take responsibility. In truth, security is everyone’s responsibility. And the sooner organisations can deliver and enforce that message, from the very top-down, the better.