That is how some C-suite leaders viewed cybersecurity budget: a dispensable investment better put to use in other growth goals: survey
In a recent survey of 5,321 IT and business decision makers from global enterprises with more than 250 employees in 26 countries, 90% of IT decision makers in the poll claimed their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals.
Additionally, 82% of respondents had felt pressured to downplay the severity of cyber risks to their board.
In the research 50% of IT leaders and 38% of business decision makers polled believed the C-suite completely understand cyber risks. Although some think this is because the topic is complex and constantly changing, many believed the C-suite either do not try hard enough (26%) or do not want to understand (20%).
Other findings
The data showed other observations among the sample population:
- 49% of respondents claimed that cyber risks were still being treated as an IT problem rather than a business risk. There was disagreement between IT and business leaders over who are ultimately responsible for managing and mitigating risk. IT leaders were nearly twice as likely as business leaders to point to IT teams and the CISO.
- 52% of respondents indicated that their organization’s attitude toward cyber risk was inconsistent and varied from month to month.
- 31% of respondents believed cybersecurity is the biggest business risk today, and 66% indicated it had the highest cost impact of any business risk
- When polled on their opinion of how to make the C-suite sit up and take notice of cyber risk:
◦ 62% thought it would take a breach of their organization
◦ 62% indicated it they should improve reporting on and explaining the business risk of cyber threats
◦ 61% indicated that customers should start demanding more sophisticated security credentials
Said Bharat Mistry, UK Technical Director, Trend Micro Incorporated, the firm that commissioned the survey: “IT leaders (in the survey were) self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure. We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth, helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”
The survey report contained a comment from a respondent that “IT decision makers may need to modify their language so both sides understand each other. Articulating cyber risks in business terms will get them the attention they deserve, and help the C-suite to recognize security as a growth enabler, not a block on innovation.”
Another respondent noted that C-suite executives must come to view cybersecurity as a true business enabler and prioritize proactive investments and not just “band-aid solutions following a breach.”