Bosses think that security is taken care of: CISOs aren't so sure

The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.
Written by Danny Palmer, Senior Writer

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.

The World Economic Forum's new report, The Global Cybersecurity Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.

SEE: A winning strategy for cybersecurity (ZDNet special report) 

However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cybersecurity.

This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.

One of the reasons this cybersecurity gap exists is because chief information security officers (CISOs) and other cybersecurity personnel often feel they're not consulted. That gap means security is sometimes sacrificed in the name of efficiency or cost, which can have dire consequences down the line.

For example, take the challenge of ransomware – something that the WEF report suggests that 80% of cybersecurity leaders class as a "danger" and "threat" to public safety, not just to their own organisations.

Many ransomware attacks are successful because cyber criminals are able to exploit vulnerabilities in networks that could have been rendered harmless if standard security recommendations were followed – for example, applying two-factor authentication, having backups in place or applying cybersecurity updates.

However, businesses can be reluctant to spend money on these areas or the personnel required to ensure that they are rolled out correctly, seeing it as a cost instead of an investment that will prevent additional money having to be spent further down the line.

It's often the case that it's only when a business falls victim to a cyberattack that the boardroom really starts paying attention to cybersecurity.

"The best and most resilient company is the one that has been breached already," Algirde Pipikaite, cybersecurity strategy lead at the World Economic Forum, told ZDNet. "Because they actually understand the importance of preventing a breach, or – if they are breached – a quick recovery."

But waiting to be breached in order for the boardroom to pay attention to cybersecurity isn't a realistic or desirable option. And there are options that those responsible for cybersecurity can take in order to help boost the cyber resilience of their enterprise.

One of those options is to ensure that cybersecurity issues can be brought to the board in plain language. Sometimes, the technical nature of some elements of cybersecurity can be overwhelming for people who don't deal with it day in and day out. Explaining security threats and issues in plain language could go a long way towards closing the cap between the board and the security team.

But it's also vital that cybersecurity teams are also aware of how the business operates, what operations are most important and which assets should be prioritised – and an ongoing dialogue with executives is key to a successful partnership.

SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse

One way to get both teams together and encourage this sort of dialogue could be the use of table-top exercises to practice cyber-incident response. This could heighten awareness of potential issues for both business and security teams, enabling both to feel included in the decision-making process.

There are also the practical benefits of the organisation learning how it would react to to a ransomware attack or other cyber incident, so in the event of a real incident, there's a plan in place that can be followed.

"The best way to bring these two communities together is to run a table-top exercise, having your incident response plan and running it in practice," said Pipikaite.

"The worst is if you get attacked and that's your first time actually trying to resolve a situation while trying to understand it," she added.


Editorial standards