Digital transformation produces many positives and consequent most firms have invested big in digital projects: whether this to support remote working, build new business processes, or drive new business models and customer experiences. However, the downside is more unmanaged endpoints and cloud infrastructure for the malicious actors to target.
With the digital world quickly evolving around society, cybersecurity risks are more present than ever before. Greater still are the risks that Information Technology decision makers take when they are uncertain or uncomfortable enough to raise these concerns with executive level board members.
According to Antoine Saikaley, Canadian technical director for Trend Micro it is essential that all business leaders are keeping cybersecurity risks top of mind.
This concern is capture din the economic impact. For example, losses reported to the U.S. FBI alone exceeded $4 billion in 2021. The actual figure is likely to be many times higher. Faced with these kinds of odds, it might be expected boards and their IT and security decision makers to be pulling in the same direction. Is this the case?
Saikaley draws attention to a new survey from Trend Micro that questioned over 200 IT leaders in Canada, has found that half (50 percent) of respondents report cyber risks are still being treated as an IT problem rather than a business risk in their organizations.
This finding puts these leaders at odds with their company’s board members, which is exasperated by the fact that half (48 percent) of respondents agree that their organization’s attitude to cyber risk is inconsistent and varies from month to month.
The research also establishes that just 44 percent of IT leaders and 45 percent of business decision makers believe the C-suite completely understand cyber risks. His surprising finding also stands awkwardly with the fact that 36 percent of respondents believe cybersecurity is the biggest business risk today
Perhaps one of the points of confusion rests on understanding how exactly is responsible for ensuring that systems are protected. In this context, 32 percent of respondents think it is the CEO who’s ultimately responsible for managing and mitigating risk. Beyond, this 75 percent of respondents agree more people should be held responsible. the problem is they cannot agree on which role in the firm should take responsibility.
To address the issues of concern, the report recommends:
- Formalise cybersecurity with documentation, KPIs and established metrics. This will help to drive a business risk discussion about cyber.
- Consider a new role of Business Information Security Officers (BISOs), who can help embed security into business processes and align cyber with business demands for productivity.
- Restructure reporting lines so that the CISO reports directly into the CEO—this will expose the latter to cybersecurity matters and will help provide more business input for security leaders.
- Formalise cybersecurity with documentation, KPIs and established metrics. This will help that business risk discussion about cyber.
- Deploy an XDR platform that correlates and analyses threat data from across the IT environment (endpoints, servers, cloud workloads, networks and email) to provide maximum visibility into threat and risk levels).
The report concludes that the end goal for businesses to aspire to is to build a culture of security-by-design, such as automating data security controls and formalizing the design of corporate infrastructure.