When it comes to cybersecurity, IT and business leaders rarely see eye-to-eye, and today the friction appears to be more pronounced that ever.
Over 90% of IT decision-makers believe their company would be willing to compromise on cybersecurity over other priorities such as productivity, digital transformation, or customer experience, according to a new Trend Micro report “Global Study: Business Friction Is Exposing Organizations To Cyber Threats.”
The short-term gains of such a strategy are insufficient to justify the long-term costs. Organizations need to overcome this business-IT divide to succeed in the post-pandemic landscape, and come to a shared understanding of cyber as a major part of business risk. This would allow companies to maximize their business potential by incorporating cybersecurity into everything they do from the start, rather than having to play catch-up years later after a costly breach.
According to the Trend Micro report only 38% of business decision-makers and 50% of IT leaders believe the C-suite understands cyber risks completely. Some speculate that this is since the field is fast-changing and complex. Others, on the other hand, believe that their boards don’t strive hard enough or don’t want to learn.
Furthermore, more than 80% of IT executives polled said they felt forced to downplay the seriousness of cyber-threats to their board of directors in order to avoid seeming too negative or repetitive. This is a bad habit to get into. Boardrooms will never have a complete understanding of the cyber-risk landscape or its importance, if IT leaders self-censor. It’s a vicious cycle that will almost certainly result in poor investments in cybersecurity.
It’s not just friction between the C-suite and IT leaders that is concerning. Organizations are riven by conflict between IT and business decision-makers. For instance, IT executives are nearly twice as likely as their peers to believe that their colleagues or the CISO should bear ultimate responsibility for risk management and mitigation.
Threats at an All-Time High
Organizations are already feeling the effects of this friction. Over half of respondents said their feelings about cyber-risk changes from month to month. This inconsistency is the polar opposite of what is required: a solid, well-thought-out strategy based on best practises and a clear understanding of the risk environment
Because threat actors use brute-forced or phished employee credentials to get past perimeter defenses, many sophisticated attacks will go unnoticed by companies. They will employ legitimate tooling to move laterally while remaining undetected once inside networks. According to IBM’s “Cost of a Data Breach Report 2020,” the total cost of a data breach today is more than US$4.2 million. Ransomware attacks have cost some businesses tens of millions of dollars in lost sales, IT overtime, productivity losses and more.
It’s self-defeating to put security on the back burner in favor of digital transformation or other business priorities. When a major incident occurs, the same projects will come to a standstill or fail since security was not factored in from the beginning.
It’s a type of business myopia that creates unneeded barriers to achievement. Many of the business and IT leaders polled feel that their board will only pay attention to cybersecurity if they experience a breach or if their customers demand it. Organizations need to think a lot more ahead of time than that.
It All Begins With Visibility
Cyber-risks are viewed as an IT issue by half of all companies globally, rather than a business risk. This needs to change. Security leaders first need to gain a clear picture of what’s going on, on the ground. At the moment, their teams are frequently inundated with threat warnings and overloaded by vulnerability updates. XDR platforms can help by combining data from endpoints, cloud systems, servers, and other sources to give comprehensive threat visibility and simplify the massive amount of data.
The next step is for security and IT leaders to speak the language of business risk in a way that their board will understand and respond to. Security programs should be formalized as well: a top-down, defined strategy based on established measurements and KPIs will help the board better assess risk. Creating a role for business information security officers could also help unify business and security.
The ultimate goal is to convince the C-suite that only a security-by-design culture can allow a company to confidently accelerate and expand digital innovation projects. Those who arrive first will have an insurmountable advantage over their competitors.
For more such updates follow us on Google News ITsecuritywire News