IT under pressure to downplay threat of cyberattacks to board

IT leaders are “self-censoring in front of their boards” for fear of appearing repetitive or too negative, says new research

Posted 17 November 2021 by Christine Horton

Ninety percent of IT decision makers claim their business would be willing to compromise on cybersecurity in favour of digital transformation, productivity, or other goals.

Additionally, 82 percent have felt pressured to downplay the severity of cyber risks to their board, according to research launched today by cybersecurity firm, Trend Micro.

Bharat Mistry, UK technical director for Trend Micro says IT leaders are “self-censoring in front of their boards” for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure.

“But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” said Mistry.

“We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”

The research reveals that just 50 percent of IT leaders and 38 percent of business decision makers believe the C-suite completely understand cyber risks. Although some think this is because the topic is complex and constantly changing, many believe the C-suite either doesn’t try hard enough (26 percent) or doesn’t want (20 percent) to understand.

There’s also disagreement between IT and business leaders over who’s ultimately responsible for managing and mitigating risk. IT leaders are nearly twice as likely as business leaders to point to IT teams and the CISO. 49 percent of respondents claim that cyber risks are still being treated as an IT problem rather than a business risk.

“Inconsistent attitude” to cyber risk

This friction is causing potentially serious issues: 52 percent of respondents agree that their organisation’s attitude to cyber risk is inconsistent and varies from month to month.

However, 31 percent of respondents believe cybersecurity is the biggest business risk today, and 66 percent claiming it has the highest cost impact of any business risk – a seemingly conflicting opinion given the overall willingness to compromise on security.

Trend Micro says there are three main ways respondents believe the C-suite will sit up and take notice of cyber risk:

  • 62 percent think it would take a breach of their organisation
  • 62 percent it would help if they could better report on and more easily explain the business risk of cyber threats
  • 61 percent say it would make an impact if customers start demanding more sophisticated security credentials