Boardroom Security. PHOTO: Cybercrime Magazine.

Why C-Suite Executives Don’t Fully Understand Cybersecurity

IT teams face an uphill battle

Charlie Osborne

London – Feb. 15, 2022

Enterprise boardrooms are trailing behind in addressing cybersecurity and treating risk as purely an IT issue, new research suggests.

Fraud, criminal activity, and even state-level “warfare” are no longer conducted only in the physical world — they are also happening inside homes and offices, with individuals able to cause severe, real-world damage from the comfort of their sofas.

Malware operators hold crucial infrastructure companies to ransom for millions of dollars — as the recent cybersecurity incident at Colonial Pipeline highlighted — data breaches are so common you are more likely to have had some form of personal Identifiable Information (PII) leaked than not, and cybercriminals, including insiders, are being prosecuted week-on-week for everything from deliberate network damage to the theft of sensitive corporate data.

Cybersecurity Ventures highlights the growing prolificacy of cybercrime and expects its damage costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

In a new global research study conducted by Trend Micro, which included the perspectives of over 5,000 IT professionals in 26 countries, 90 percent of decision-makers said their business would be willing to compromise on cybersecurity for the benefit of goals including increasing productivity or digital transformation.

Furthermore, only half of the respondents said they believe C-suite executives fully understand cybersecurity threats and risk management. They considered the core issues to be a lack of willingness to try and understand cybersecurity (26 percent), a simple refusal to want to understand (20 percent), and some executives may also believe that cyberattacks are an “impenetrable technology issue.”

Dr. Melissa Griffith, a senior program associate with the Wilson Center’s Science and Technology Innovation Program, told Cybersecurity Ventures that digital transformation initiatives may result in an immediate ROI, whereas “the consequences of insecurity are too often perceived as less immediate and tangible.”

“Better hardware and software yield immediate returns on investment, whereas prioritizing secure hardware and software raises costs (for both buyers and sellers) and can be deeply challenging,” Griffith said. “Yet, with increasing levels of dependence on and rapid technological change across our digital ecosystem, it is critical that security by design become the norm rather than the exception.”

According to Trend Micro, it is not just a lack of understanding — willfully ignorant or not — that IT teams have to face when working with the boardroom. In total, 82 percent of those surveyed said they have even felt pressure from higher-ups to downplay the severity of cybersecurity risks to board members — and a third of respondents said this kind of cultural attitude is a “constant pressure.”

In total, 62 percent said that the only way C-suite executives would take notice of cybersecurity is if the organization suffered a data breach, and a further 61 percent said that customer demands for a revamp and additional investment in this area are the only means for any form of change.

So, what is the critical reason for polar opposite views by IT teams and the board? According to half of those surveyed, the problem is that cybersecurity risks are treated as purely IT problems, rather than genuine risks to businesses overall.

But what can be done to encourage cultural change from the top? Griffith told us that executive-level management teams have to learn how to adapt, be agile — and they must learn how to understand and mitigate cybersecurity threats over time.

“Shifting from a primarily capability-based approach to a risk-based approach to cybersecurity will be critical,” Griffith commented. “Too much of our current efforts are focused on compliance. Capability assessments are important. Alone, however, they neither capture the threat landscape each business or organization faces nor allow them to effectively prioritize investments and capabilities to mitigate those risks in practice.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.