IT and business leaders have rarely seen eye-to-eye on cybersecurity, but today the friction seems more pronounced than ever. New Trend Micro research found that over 90% of IT decision makers believe their organization would be willing to compromise on cybersecurity in favor of other goals.
The short-term benefits of such a strategy are not worth the long-term costs. To succeed in the post-pandemic era, organizations must reconcile this business-IT stand-off and come to a shared understanding about cybersecurity as a key element of business risk. This will enable organizations to maximize their business potential by embedding security into everything they do from day one, rather than play catch-up years down the line after a costly breach.
The new report also reveals that 50% of IT leaders and 38% of business decision makers think the C-suite completely understands cyber risks. Some believe this is because the field is too complex and fast-changing. But others argue that their boards either don’t try hard enough or simply don’t want to understand.
In addition, more than 80% of IT managers surveyed felt pressured to downplay the severity of cyber risks to their board in fear of sounding too negative or repetitive. While an understandable concern, IT leaders play a critical role in helping the boardroom clearly understand the cyber risk landscape in order to boost cybersecurity investments and enable the organization to grow.
Disagreements aren’t only between IT leaders and the C-suite, friction between IT and business decision makers runs throughout organizations. Case in point: IT leaders are nearly twice as likely as their counterparts to believe that ultimate responsibility for managing and mitigating risk should be with their own colleagues or the CISO.
This friction is already having a notable impact on organizations. Over half reported that their attitude towards cyber risk varies from month to month. This kind of inconsistency is the exact opposite of what’s needed: a stable, well-planned strategy built on best practices and clear insight into the risk environment.
Speaking the board’s language
Many of the business and IT leaders surveyed believe their board will only sit up and take notice of cybersecurity if they suffer a breach, or if customers demand it. How can you convince the board to be more proactive? IT and security decision makers need to speak the language of business risk that their board will be able to understand and act on. The cost and potential business impact of a security breach will certainly resonate.
As threats increase, the costs to organizations follows suit. One estimate puts the total cost of a breach at over $4.2 million today, but ransomware compromises, for example, have cost some organizations tens of millions in lost sales, productivity outages, IT overtime, and more. The board should also be made aware that 2021 is on track to be a record year for threats, increasing the probability that they’ll be impacted.
Next, security programs must also be formalized: a top-down, documented strategy highlighted by KPIs and established metrics will enhance the board’s understanding of risk. Building a business case to create a new role for Business Information Security Officers (BISOs) may also help with business-security alignment.
For more insights into the psychology of risk and propelling a culture change to enhance security, read Global study: Business friction is exposing organizations to cyber threats.