Senior management involvement essential for cybersecurity

February 23, 2022

A recent Trend Micro survey revealed that persistent low engagement by IT executives and senior management (C-level) may jeopardize investments and expose companies to more severe cyber risks. Despite widespread concern over growing threats, the study showed that only 50 percent of IT leaders believe that senior management fully understands cyber risks and that only just over half (57 percent) of IT teams were discussing cybersecurity with the board at least weekly.

“Vulnerabilities used to take months or even years before they were exploited. Now they can take just hours or less. More executives are understanding that they need to be informed, but they often feel overwhelmed by how quickly the cybersecurity landscape evolves. There is a need for IT leaders to communicate with senior management, so they can understand where the risks are and better manage them,” comments Eva Chen, CEO of Trend Micro.

The good news is that current investments in cyber initiatives cannot be considered critically low-42% of respondents said they are spending on “cyberattacks” to reduce risks to the business more than other areas. However, the low involvement of senior management in decisions suggests a tendency to “just allocate money” to solve the problem, rather than developing an understanding of cybersecurity challenges and making investments appropriately. This approach can hinder the application of more effective strategies and raise the risk of financial loss. Less than half (46%) of respondents said that concepts such as “cyber risks” and “cyber risk management” were widely known within their organization.

Source: Trend Micro

Many said senior managers don’t try hard enough (26%), don’t want to understand (20%), or see it as just a technology problem. The complexity of the subject (34%) and constant change (34%) were the main reasons cited for lack of understanding.

What’s worse is that 82% of IT decision-makers felt pressured to downplay the severity of cyber risks to the board. Almost a third say this pressure is constant.

A good portion of respondents (77%) would like more people in the organization to be responsible for managing and mitigating these risks, helping to drive a culture of “security by design” throughout the company. The largest group of respondents (38%) is in favor of holding CEOs accountable. Other non-IT roles cited were CFOs (28%) and CMOs (22%).

Source: Trend Micro

Best communication practices

It is nothing new that there is friction in the relationship between IT and business areas. The problem is particularly more intense when it comes to cybersecurity, as it is seen as hindering innovation and productivity. Trend Micro’s study reveals the scale of the problem and makes some recommendations on how to overcome these barriers and try to develop the culture of security by design that modern organizations need to incorporate formalized cybersecurity measures into business processes.

After surveying more than 5,300 business and IT decision-makers globally to better understand how friction between the two sides is hurting the business, it became clear that for IT directors, senior management is ignorant and apathetic about cybersecurity risks. There is a dynamic that is even forcing IT leaders to self-censor in front of senior management for fear of appearing too negative or repetitive.

According to Trend Micro, the path to improved relations lies in the need for senior management to start viewing cyber risks as a major business threat as well. Unfortunately, the majority of respondents believe that the only way senior managers will learn about the risks of cyberspace is if they are faced with a major incident, or if customers have started to demand proactive behavior in this field.

The research highlights that the key element lies in cybersecurity by design, a principle-based on best practices that require cyberspace to be incorporated into everything you do in organizations, from staff training to product and service development. The idea is that by changing user perception and behavior and adapting business processes, it is possible to develop a culture that values cybersecurity first and foremost and is self-reinforcing.

How to put this into practice? Trend Micro gives some tips: 1) Formalize cybersecurity via documentation, KPIs, and established metrics that help in discussing cyber risks to the business.

2) Consider creating the role of Business Information Security Officer (BISOs), who can help embed cybersecurity into business processes and also align them with business demands.

3) Restructure the lines of the hierarchy so that the CISO reports directly to the CEO. This will help bring the CEO closer to the cybersecurity functions and, in the other direction, will help ensure more business intelligence for cybersecurity leaders.

4) Deploy an XDR (Extended Detection and Response) platform that correlates and analyses threat data across the entire IT environment (endpoints, servers, cloud workloads, networks, and email services) to ensure maximum visibility into threat levels and risks.