Senior managers are putting businesses at risk of cyberattacks and data breaches because they don't understand cybersecurity issues and, in some cases, don't even want to learn about the dangers.
According to research by cybersecurity company Trend Micro, just half of IT decision makers believe that the board understands cyber risks. Of the 5,321 IT leaders surveyed, 90% said that the C-suite aren't focused on cybersecurity because they have other priorities, such as digital transformation or improving productivity. As a result, they see cybersecurity as a barrier to reaching their preferred goals.
However, there's also a significant minority of board members who actively aren't trying to learn about cybersecurity. According to the research, 26% don't try hard enough to learn about cyber risks, while 20% just don't want to understand the cyber risks their organisation is facing.
SEE: Cybersecurity: Let's get tactical (ZDNet special report)
This lack of understanding is causing tension between information security teams and the boardroom, to such an extent that 82% of IT decision makers say they have felt pressured to downplay the severity of cyber risks to their board.
Nearly a third of these individuals say this is a constant pressure, indicating that many boardrooms would prefer to bury their heads in the sand instead of tackling cybersecurity problems.
Almost two-thirds (62%) said that the board would only sit up and take notice of cyber risks if the organisation suffered an attack or data breach, while 61% said they'd be forced to take notice if customers demanded enhanced security – suggesting that the risk of losing business because of perceptions of poor security could finally make executives take note.
But even when boardrooms and executives are concerned about cyberattacks, and are engaging with cybersecurity leaders about issues, detailing risks and how to manage them can still prove to be tricky, especially if execs are starting out with little technical understanding of the issues.
It's therefore vital that information security teams break things down for executives, regularly explaining the issues – and, crucially, in ways that senior managers are able to understand.
"More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cybersecurity landscape evolves," said Eva Chen, CEO of Trend Micro.
"IT leaders need to communicate with their board in such a way that they can understand where the organization's risk is and how they can best manage it," she added.
Steps that can be taken to help this process along include formalising cybersecurity with documentation and metrics, and encouraging business risk discussions around the issues. It's also recommended that the CISO should report directly to the CEO in order to directly expose them to cybersecurity issues, therefore helping to drive discussions around cybersecurity.
MORE ON CYBERSECURITY
- Bosses think that security is taken care of: CISOs aren't so sure
- Cybersecurity spending is a battle: Here's how to win
- Boards still aren't taking cybersecurity seriously, warns new NCSC boss. That means everyone is at risk
- This one change could protect your systems from attack. So why don't more companies do it?
- Cybersecurity jobs: This is what we're getting wrong when hiring – and here's how to fix it