SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
New study shows IT decision-makers think organisations compromise cybersecurity in favour of other goals
Wed, 17th Nov 2021
FYI, this story is more than a year old

A new study by security firm Trend Micro has revealed that 90% of IT decision-makers believe organisations compromise on cybersecurity in favour of other goals within their business. Additionally, 82% have said they felt pressured to downplay the severity of cyber risks to their board.

The study surveyed 5,321 IT decision-makers in companies with 250 employees or more across 26 countries. Most respondents highlighted digital transformation and productivity issues as their main reasons while also stating that they had other goals to focus on.

Trend Micro UK technical director Bharat Mistry says that there needs to be a more transparent communication channel between business and IT leaders, and that collaboration is the key to helping prevent risk.

"IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure," he says.

"We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause."

Nuffield Health head of information security and assurance Phil Gough echoes this sentiment, saying that language can be a key factor in helping create clearer and more effective communication channels.

"IT decision-makers should never have to downplay the severity of cyber risks to the board, but they may need to modify their language so both sides understand each other.

"That's the first step to aligning a business-cybersecurity strategy, and it's a crucial one. Articulating cyber risks in business terms will get them the attention they deserve, and help the C-suite to recognise security as a growth enabler, not a block on innovation."

The study also revealed that only 50% of IT leaders and 38% of business decision-makers believe that the C-suite completely understand cyber risks, with many finding the topic too complex or challenging to understand. A smaller percentage also think the C-suite either doesn't try hard enough to understand or doesn't want to.

There is also research that shows a lack of clarity when discussing the responsibility of managing and mitigating risk. IT leaders are nearly twice as likely as business leaders to point to IT teams and the CISO. In addition, 49% of respondents claim that cyber risks are still being treated as an IT problem rather than a business risk.

This lack of unclear direction and responsibility has led to 52% of the respondents saying that they believe their organisation's attitude towards cyber risk is inconsistent from month to month.

While still causing friction, the consensus overall is that 31% of the respondents still believe cybersecurity is the biggest business risk, with 66% saying it has the highest cost impact out of any other business risks.

There are three main ways respondents believe the C-suite will take notice of cyber risk in the future:

  • 62% believe it will take a serious data breach for their organisation.
  • 62% said it would help if they could better report on and easily explain the business risk of cyber threats.
  • 61% said that it would make an impact if customers start asking for more security credentials.

Coillte enterprise security architect Mark Walsh summarises that it will take effort and clarity from the C-suite to enhance business awareness of cyber threats.

"To make cybersecurity a board-level issue, the C-suite must come to view it as a true business enabler.

"This will prompt IT and security leaders to articulate their challenges to the board in the language of business risk. And it will require prioritised, proactive investments from the boardroom – not just band-aid solutions following a breach."