Are CSOs Downplaying Cybersecurity Risks?
For years, experts have commented on the need to have board-level acceptance of cybersecurity threats, even describing it as the panacea for data security in the future. Now, a new report has shed light on the matter suggesting that security leaders in organizations often downplay such risks in boardrooms.
The report, which was brought out by Trend Micro with support by Sapio Research, notes that while stakeholders in the boardrooms did demonstrate awareness of cyber crime and business risk, CISOs were often “failing to land their message in the boardroom”. This has serious implications for achieving long-term strategic goals of cyber-resilience, it said.
The survey, which covered more than 2,600 IT leaders responsible for cybersecurity, noted that 79% of the respondents felt pressured by their Boards to downplay the severity of cyber risks and 80% actually believe that only a serious data breach would be incentive enough for the Board members to act more firmly.
CISOs described as repetitive, nagging and overly negative
In fact, the report mentions that security leaders who pushed hard were seen by their respective boards as “repetitive”, “nagging” and “overly negative”. The report also revealed that just 43% of the cybersecurity leaders who felt boardroom pressure said they were both nagging and repetitive while 42% said they were viewed as overly negative.
In a statement, Trend Micro Technical Director Bharat Mistry notes, “Over half of security leaders say cyber is their biggest business risk. But they’re failing to communicate that risk in a language the board understands. As a result, they’re ignored, belittled, and often accused of nagging.” Unless they can engage better with the senior leadership, corporate cyber resilience will suffer and the first step would be to attain a single source of truth across the attack surface, he added.
C-suite’s actions often disjointed and lacking strategic cohesion
The report suggested that just over half (54%) of the respondents were confident that their C-suite completely gets the cyber risks within the organization while 34% felt that cybersecurity was treated as a part of IT and not as a business risk. And, 80% believed that only a serious breach could incentivize the board to act decisively.
“Unfortunately, C-suite action and investment that is driven by one-off events like this ends up being disjointed and lacking strategic cohesion. It can lead to the purchasing of point products which rarely fix the underlying cause of a breach/incident—and often cause additional cost and complexity headaches down the line,” the statement said.
Trend Micro had warned of this trend back in 2020
In fact, in an earlier report published in November 2020, Trend Micro had noted that 69% of business and technology leaders believe that cybersecurity is entirely or mostly a technology area with little or no linkage to the business, while another 11% equate cybersecurity with regulatory compliance.
Additionally, many organizations rate themselves as only adequate or poor in areas like their executives’ commitment to cybersecurity and treating cybersecurity as a critical component of business strategies. In aggregate, the research indicates that most organizations don’t strive for “good security,” but rather they settle on “good enough” security, it said.
Such disconnect can never bring in cyber resilience
Cybersecurity experts point out that such a disconnect has serious organizational implications, especially with regard to long-term goals around data safety and cyber resilience. “The truth is that boards have little time for death-by-PowerPoint presentations from the CISO, crammed with industry jargon and irrelevant metrics,” the security firm says.
The report says that the Boardrooms want insights into queries like “How is cyber supporting our business objectives? What is the return on investment (ROI) of our investments in cyber? What are the cyber-risk implications of our latest digital transformation initiative?” They aren’t interested in chunking down cybersecurity programs but ask strategic questions like “How secure are we? and how does our security program compare with our peers?”
Healthcare, financial services companies face biggest threat
Recently, in another report based on research conducted by data collection company SOAX, the healthcare industry was the most vulnerable sector in the United States. The study analyzed data from the Identity Theft Resource Center between 2020 and 2023, and ranked industries based on the number of incidents reported in 2023.
Others in this list include financial services, professional services, manufacturing, education, technology, retail, not-for-profit entities, transportation and government agencies.
“The study has identified a concerning sharp rise in cyber incidents across all U.S. industries in 2023, which is particularly alarming, especially within the healthcare and financial services industries. These sectors store vast amounts of sensitive information, making them lucrative targets for cybercriminals,” according Stepan Solovev, CEO and co-founder at SOAX,