The importance of effective cyber risk management
IT and business leaders have rarely seen eye-to-eye on cybersecurity, but today the friction seems more pronounced than ever. Trend Micro research found that over 90% of IT decision makers believe their organisation would be willing to compromise on cybersecurity in favour of other goals.
The short-term benefits of such a strategy are not worth the cyber risk, which includes financial losses and reputational damage. To succeed in the post-pandemic era of hybrid or remote workforces, organisations must reconcile this business-IT stand-off and come to a shared understanding about cyber risk as a key element of business risk. This will enable organisations to better understand, communicate, and mitigate cyber risk across the enterprise, maximising their business potential and avoiding costly breaches.
The state of corporate cyber risk management
Trend Micro research also reveals that 50% of IT leaders and 38% of business decision makers think the C-suite completely understands cyber risks. Some believe this is because the field is too complex and fast-changing. But others argue that their boards either don’t try hard enough or simply don’t want to understand.
In addition, more than 80% of IT managers surveyed felt pressured to downplay the severity of cyber risks to their board in fear of sounding too negative or repetitive. While an understandable concern, IT leaders play a critical role in helping the boardroom clearly understand the cyber risk landscape to boost cybersecurity investments and enable the organisation to grow.
Disagreements aren’t only between IT leaders and the C-suite, friction between IT and business decision makers runs throughout organisations. Case in point: IT leaders are nearly twice as likely as their counterparts to believe that ultimate responsibility for managing and mitigating risk should be with their own colleagues or the CISO.
This friction is already having a notable impact on organisations. Over half reported that their attitude towards cyber risk varies from month to month. This kind of inconsistency is the exact opposite of what’s needed: a stable, well-planned strategy built on best practices and clear insight into the risk environment.
Speaking the board’s language
Many of the business and IT leaders surveyed believe their board will only sit up and take notice of cybersecurity if they suffer a breach, or if customers demand it. How can you convince the board to be more proactive? IT and security decision makers need to speak the language of business risk that their board will be able to understand and act on. The cost and potential business impact of a security breach will certainly resonate.
As such, Trend Micro blocked over 94 billion threats in 2021—a staggering 42% increase from 2020, meaning the likelihood of being attacked and the associated costs to organisations increased as well. One estimate puts the total cost of a breach at over $4.2 million today, but ransomware compromises, for example, have cost some organisations tens of millions in lost sales, productivity outages, IT overtime, and more.
Next, security programs must also be formalised: a top-down, documented strategy highlighted by KPIs and established metrics will enhance the board’s understanding of risk.
This can seem complex if you’re utilising disconnected point products, requiring your security teams to manually collect and correlate the necessary data. Enter: a unified cybersecurity platform with broad third-party integration, comprehensive visibility and continuous discovery of your digital attack surface, and extended detection and response (XDR) with automated executive reporting features.
Leveraging a platform requires board investment as well, ultimately creating a “what comes first” situation. Consider asking potential vendors for a proof-of-concept (POC) or free trial to show the c-suite the full reporting capabilities to secure their investment and simultaneously help them better understand the impact of internal friction on cyber risk management.
To learn more about managing cyber risk and the security and operational benefits of a unified cybersecurity platform, check out these resources: