Monday, 29th November 2021
Logo

Urgent need for new way to discuss business risk

Trend Micro has published new research revealing that 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board.

“IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” said Bharat Mistry, UK technical director for Trend Micro. “We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”


“IT decision makers should never have to downplay the severity of cyber risks to the Board. But they may need to modify their language so both sides understand each other,” said Phil Gough, Head of Information Security and Assurance at Nuffield Health. “That’s the first step to aligning business-cybersecurity strategy, and it’s a crucial one. Articulating cyber risks in business terms will get them the attention they deserve, and help the C-suite to recognise security as a growth enabler, not a block on innovation.”

The research reveals that just 50% of IT leaders and 38% of business decision makers believe the C-suite completely understand cyber risks. Although some think this is because the topic is complex and constantly changing, many believe the C-suite either doesn’t try hard enough (26%) or doesn’t want (20%) to understand.

There’s also disagreement between IT and business leaders over who’s ultimately responsible for managing and mitigating risk. IT leaders are nearly twice as likely as business leaders to point to IT teams and the CISO. 49% of respondents claim that cyber risks are still being treated as an IT problem rather than a business risk.

This friction is causing potentially serious issues: 52% of respondents agree that their organization’s attitude to cyber risk is inconsistent and varies from month to month.

However, 31% of respondents believe cybersecurity is the biggest business risk today, and 66% claiming it has the highest cost impact of any business risk – a seemingly conflicting opinion given the overall willingness to compromise on security.

There are three main ways respondents believe the C-suite will sit up and take notice of cyber risk:

•62% think it would take a breach of their organization

•62% it would help if they could better report on and more easily explain the business risk of cyber threats

•61% say it would make an impact if customers start demanding more sophisticated security credentials

"It appears that many business and IT leaders feel "out of control" when it comes to managing cyber-risks. There may be a number of ways they can re-gain some control of this. One way of helping encourage agency in this may be to reform the focus of cyber-risk training. Rather than it being solely on awareness-raising of risk, it could draw in scientific insight into range of cognitive biases and processing involved in susceptibility to well-designed phishing scams for example. This could help all employees understand themselves as active agents in mitigating these risks but also highlight that any "vulnerabilities" to these are largely a part of simply being human," said Dr Linda K. Kaye, Reader in Psychology, Edge Hill University.


Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that the...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and operational...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets acro...
Research from Avast has found that employees in almost a third (31%) of Small and Medium Businesses...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53% of...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real terms’ d...
State of Industrial Cybersecurity report reveals only 21% of organizations achieved full maturity fo...
Lack of ownership, resources, and skills continues to challenge PKI deployments.