by Bharat Mistry
There’s always been friction at the heart of the relationship between IT and the business. It’s particularly acute in the sphere of cyber, where the security function has long been regarded with suspicion as a block on innovation and productivity. However, the chasm between both sides has rarely been this wide. Nor have the repercussions of miscommunication and mistrust been so potentially catastrophic. A new Trend Micro study lays bare the scale of the problem, and offers some advice on how to tackle it.
To build the security-by-design culture that modern organisations need, security must be formalised, and embedded into every business process.
Friction hurts businesses
We’re living at a time when our adversaries hold most of the cards. Global organisations are collectively spending over $150bn this year on security technology. And yet, around two-thirds of the UK’s medium (65%) and large businesses (64%) admit they’ve suffered a breach over the past year. Trend Micro blocked almost 63 billion threats in 2020, and 41 billion in the first half of 2021. A pandemic-era expansion of digital infrastructure and services has only increased the corporate attack surface for many businesses—offering more opportunities for threat actors to do their worst.
It’s against this backdrop that we recently polled over 5,300 IT and business decision makers from global organisations to better understand how friction between the two sides is hurting businesses.
The results were surprisingly unequivocal. They revealed a perception among IT leaders that the C-suite is ignorant and apathetic towards security risk. It’s a dynamic which is even forcing IT bosses to self-censor in front of their boards for fear of seeming too negative or repetitive. Here are some key findings:
- 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favour of digital transformation, productivity, or other goals
- Only 50% of IT leaders believe the C-suite completely understands cyber risks
- Many claim this is because board members either don’t try hard enough (26%), don’t want (20%) to understand, or see it as an impenetrable technology issue
- 82% of IT decision makers have felt pressured to downplay the severity of cyber risks to their board. Some 30% claim this is a constant pressure
- Half (49%) of business and IT respondents claim that cyber risks are still being treated as an IT problem rather than a business risk
Where next for cyber?
The path to improved IT-board relations is therefore pretty clear: the C-suite must come to appreciate cyber as an intrinsically important business risk. Unfortunately, as it stands, most respondents believe the only way that boardrooms will sit up and take notice of cyber is if there is a breach or if customers demand it. Organisations must get more proactive than this if they want to avoid a major incident.
The key lies with security-by-design, a best practice principle that mandates cyber is built into everything an organisation does—from staff training to new product and service development. A modified form, data protection by design, is also a founding principle of the GDPR. The idea is that by changing user awareness and behaviour and adapting business processes, you can drive a security-first culture which is self-reinforcing: good practice begets good practice.
How do you get there? It needs buy-in from the very top, which means things must change on the IT and business side. Here’ are a few tips from the report:
- Formalise cybersecurity with documentation, KPIs and established metrics to drive a business risk discussion about cyber.
- Consider a new role of Business Information Security Officers (BISOs), who can help embed security into business processes and align cyber with business demands for productivity.
- Restructure reporting lines so that the CISO reports directly into the CEO—this will expose the latter to cybersecurity and will help provide more business input for security leaders.
- Deploy an XDR platform that correlates and analyses threat data from across the IT environment (endpoints, servers, cloud workloads, networks and email) to provide maximum visibility into threat and risk levels.
Cultural change of this sort isn’t quick or easy. But it’s essential in today’s threat and risk landscape. Find out more!