A £145K Cyber Incident is the Only Way to Get the C-Suite’s Attention, say IT Security Leaders
May 2024 by Trend Micro
Trend Micro Incorporated reveals that UK IT security leaders believe it would take a loss of around £145,000 from a cyber incident to incentivise their C-Suite to act more firmly on cyber risks, despite identifying it as the number one threat to the business.
©shutterstock
The research, which surveyed 100 UK cybersecurity leaders as part of a global study The CISO Credibility Gap, reveals that 74% of UK respondents have felt boardroom pressure to downplay the severity of cyber risks, for fear of being seen as repetitive/nagging (41%) or as overly negative (38%), and amidst broader struggles with gaining credibility for the function.
Though 60% of respondents identify cybersecurity as the biggest risk to their business, less than half (46%) are confident their C-Suite completely understands the cyber risks facing their organisation. In fact, several claim they have been dismissed as being out of hand (33%) to the board and 36% say they are still treated as part of IT, rather than gaining recognition for being a key cog for mitigating business risk.
So much so is the lacklustre approach to cybersecurity from boardrooms, that security leaders believe their businesses would deprioritise cybersecurity in favour of improving the speed of digital transformation (35%), employee experience (33%) and hybrid working (31%).
“When IT security leaders are being treated like they are nagging or overly negative by executives that don’t fully understand the risks facing their organisation, it’s no surprise that they believe that a costly cyber incident is the only way that would get them to act. It continues to be deprioritised for initiatives and projects that are perceived to deliver greater business value. That’s why it’s critical that IT security leaders overcome the false perception that cyber is a barrier to value creation,” said Bharat Mistry, Technical Director UK & Ireland at Trend Micro.
Closing the cyber credibility gap in the boardroom
It’s clear IT security leaders face a serious credibility gap with 63% of respondents saying they always or often feel challenged to demonstrate the business value of their strategy. However, many are taking steps to challenge this misconception by adapting their security approach to show more business value (77%) – with a focus on KPIs and future-proofing the function.
Almost all (89%) say they’ve implemented metrics – which could include the likes of mean time to detect (MTTD), number of security incidents, cyber awareness training completion rates, and cyber insurance claims – to measure the value of cybersecurity strategies. This approach is paying off, with 98% crediting it to leading to real change in the business – outlining being viewed with more credibility (48%) and given more budget (45%) as the top two impacts they’ve experienced since implementing KPIs.
Looking at how they can deliver value in the future, cybersecurity leaders believe they’ll need to upskill their teams to better interpret AI-generated data (53%). This is perhaps unsurprising given both the rising threat of AI and the opportunities the technology can unlock such as improved performance to ensure a complete digital attack surface remains secure.