90% of respondents to a recent survey said decisions made left companies vulnerable.
How much of a priority is IT in your organisation? It’s a perennial challenge, with business owners and executives having to juggle many competing interests, alongside the safe running of their computing infrastructure.
But the opinion of those tasked with keeping businesses safe on the front line of their IT defences are clear: businesses are willing to compromise on cybersecurity in favour of digital transformation. And worse, many IT professionals have felt pressured to downplay the severity of cyber risks to their board.
The shock survey results uncover a fundamental issue with the world of business: reliant on ensuring business as normal, it often downplays the potential risks to its enterprise, and puts IT low down on a list of priorities to tackle. Just 50% of IT leaders and 38% of business decision makers believe the C-suite completely understands cyber risks, according to Trend Micro.
77% of both IT and business leaders think that their organisation should hold more people responsible for managing/mitigating risk.
The gulf between the realities and what businesses want to portray publicly is an issue. “IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” says Bharat Mistry, UK technical director for Trend Micro. “We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”
Never lie, never mislead
But balancing what’s right for the bottom line and what’s right for ongoing IT security is vital. “IT decision makers should never have to downplay the severity of cyber risks to the Board. But they may need to modify their language so both sides understand each other,” says Phil Gough, Head of Information Security and Assurance at Nuffield Health.
“That’s the first step to aligning business-cybersecurity strategy, and it’s a crucial one. Articulating cyber risks in business terms will get them the attention they deserve, and help the C-suite to recognise security as a growth enabler, not a block on innovation.”
The survey polled 5,321 IT and business decision makers from enterprises larger than 250 employees across 26 countries, giving a sense of the scale of the issue of IT security globally. What it found was a belief among those tasked with keeping IT departments secure within businesses that the leaders they tasked often weren’t up to the job.
49% of respondents claim that cyber risks are still being treated as an IT problem, rather than a business risk.
This is worrying, given the immense impact that something like a ransomware attack can have on the ability for a business to continue operating.
“It appears that many business and IT leaders feel ‘out of control’ when it comes to managing cyber-risks. There may be a number of ways they can regain some control of this. One way of helping encourage agency in this may be to reform the focus of cyber-risk training. Rather than it being solely on awareness-raising of risk, it could draw in scientific insight into the range of cognitive biases and processing involved in susceptibility to well-designed phishing scams for example. This could help all employees understand themselves as active agents in mitigating these risks but also highlight that any ‘vulnerabilities’ to these are largely a part of simply being human,” says Dr Linda K. Kaye, Reader in Psychology, Edge Hill University.