Too much or too little organizational trust; misplaced trust; exaggerated trust and over-confidence were variables cited in one international survey.
In a Q1 2023 survey of 1,000 senior IT security decision-makers from firms valued at between US$50m and $10bn from the USA, the UK, Hong Kong, Japan, Singapore, Ireland, Spain, Italy and Brazil on cybersecurity trends, a general lack of organizational trust was perceived to be the biggest challenge (by more than a third of respondents) in ensuring adequate cyber resilience.
The data showed up a gap between the level of trust organizations have in their readiness to achieve true cyber resilience, and the trust in security tools and teams. In some cases, trust in people and processes had been misplaced or excessive, a factor that can constitute a further security threat to organizations.
While respondents were cognizant of the potential risks and the importance of taking action, the data showed that they did not always apply this awareness in practical terms, due to factors such as over-confidence in their organizations’ defenses; “over-trust” where those closest to the day-to-day security of their organization lacked a complete understanding of what is involved in the implementation of true cyber maturity; and combined with a lack of resources for the necessary maintenance of the cyber technology at IT teams’ disposal.
Additional findings
Broader findings from the data indicated the presence of widespread mistrust across respondents’ organizations, with 95% of respondents citing that they did not feel senior leadership trusted them to protect their organizations from threats. Also:
- 30% of respondents from the specified APAC countries cited that they “completely” trusted their organization was protected and they could successfully defend against most or all cyberattacks. This is lower than the 37% of respondents from the other countries feeling the same.
- 56% of Japan respondents cited “blame culture” as the main cause of depreciation of trust in their organization. Other respondents cited various different causes of mistrust, such as lack of communication, lack of staff, over-stretched business or financial targets, or limited technical capabilities.
- 100% of respondents agreed that there was a cost to a lack of trust. Japan respondents cited slow incident response as a top consequence, while other countries’ respondents cited “lack of cyber maturity”, “misrepresentation of cyber risk” and “more complexity”, among a list of 10 consequences.
- 16% of Japan respondents indicated they were covered by cybersecurity insurance. Overall, 23% was the average incidence of specific cybersecurity insurance cover for all respondents in the survey.
- Trust in employees was ranked higher (66%) than the ability of the security team to identify and prioritize security gaps (63%); accuracy of data alerts (59%); effectiveness of cybersecurity tools and technologies (56%); and the accuracy of threat intelligence data (56%).
- By industry, hospitality (10%), not-for-profit (13%) and transportation (17%) respondents were the least insured, compared to respondents in sectors such as technology and communications (34%) and education (27%). Overall, two-thirds of respondents cited not being protected by any form of cyber insurance.
According to James McLeary, Managing Director and Global Lead of Cyber Risk Advisory, Kroll — the firm that commissioned the survey: There needs to be trust in teams, trust in technology, in intelligence sources, and with suppliers. However, there is a critical balance to be made on how much and where that trust should be placed. Further, there is a misunderstanding in the capabilities of security tools without continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an ever-changing landscape.”
