IT and business leaders have rarely seen eye-to-eye on cybersecurity, but today the friction seems more pronounced than ever. New Trend Micro research found that over 90% of IT decision-makers believe their organization would be willing to compromise on cybersecurity instead of other priorities like digital transformation, productivity or customer experience.
The short-term benefits of such a strategy are not worth the long-term costs. To succeed in the post-pandemic era, organizations must reconcile this business-IT stand-off and come to a shared understanding about cyber as a critical element of business risk. This will enable organizations to maximize their business potential by embedding cyber into everything they do from day one, rather than play catch-up years down the line after a costly breach.
Friction Everywhere
The new report also reveals that just 50% of IT leaders and 38% of business decision-makers think the C-suite completely understands cyber risks. Some believe this is because the field is too complex and fast-changing. Yet, others argue that their boards either don’t try hard enough or don’t want to understand.
In addition, more than 80% of IT bosses surveyed felt pressured to downplay the severity of cyber risks to their board for fear of sounding too negative or repetitive. This is a dangerous habit. If IT leaders are effectively self-censoring, then boardrooms will never clearly understand the cyber risk landscape or its importance. It’s a vicious cycle that is likely to lead to subpar investments in cybersecurity.
It’s not just disagreements between IT leaders and the C-suite that we should be concerned about. Friction between IT and business decision-makers runs throughout organizations. Case in point: IT leaders are nearly twice as likely as their counterparts to believe that ultimate responsibility for managing and mitigating risk should be with their colleagues or the CISO.
A Record Year for Threats
This friction is already having a real impact on organizations. Over half reported that their attitude towards cyber risk varies from month to month. This kind of inconsistency is the exact opposite of what’s needed: stable, well-planned strategy built on best practices and clear insight into the risk environment.
It comes at a time when Trend Micro blocked over 41 billion threats in the first half of 2021 alone, putting it on track to be a record year. Many more sophisticated attacks will go unchecked by organizations because threat actors use phished or brute-forced employee credentials to waltz past perimeter defenses. Once inside networks, they’ll use legitimate tooling to move laterally while staying hidden. One estimate puts the total cost of a breach at over $4.2 million today. Still, ransomware compromises, for example, have cost some organizations tens of millions in lost sales, productivity outages, IT overtime and more.
Two-thirds of respondents believe that cyber has the highest cost impact of any business risk. That’s the kind of message that should resonate with boards if adequately communicated. Compromising security in favor of digital transformation or other business priorities is self-defeating. Those same projects will end up halting or failing when there is a significant incident because security was not built in from the start. It’s a kind of business myopia that puts unnecessary roadblocks in the way of success. Many of the business and IT leaders surveyed believe their board will only sit up and take notice of cybersecurity if they suffer a breach or if customers demand it. We need to be thinking way more proactively than that.
It Starts With Visibility
Half of organizations globally treat cyber risks as an IT problem rather than a business risk. This must change. The first step is for security leaders to get a clear view of what’s happening on the ground. At present, their teams are often overwhelmed with threat alerts and drowning in vulnerability updates. XDR platforms can help by correlating data from across endpoints, servers, cloud systems and more to provide comprehensive visibility into threats and simplify the overwhelming volume of data.
Next, IT and security decision-makers need to speak the language of business risk that their board will understand and act on. Security programs must also be formalized: a top-down, documented strategy highlighted by KPIs and established metrics will enhance the board’s understanding of risk. Creating a role for business information security officers (BISOs) may also help with business-security alignment.
The ultimate goal is to help the C-suite understand that only a security-by-design culture can enable an organization to accelerate and expand digital innovation projects with confidence. Those who get there first will have an undeniable advantage over their competitors.
Explore and learn more at CLOUDSEC 2021 (Nov. 16-18), a virtual event built for cloud and cybersecurity pioneers, leaders, and technical experts.
