Cybersecurity can present an existential threat to any organisation that becomes the victim of an attack, yet too many leadership teams don’t know how to assess the risks they face, build a business-focused strategy or understand how to determine the right levels of security investment.
Let’s be clear, this isn’t about general levels of awareness – there can be very few leadership teams who by now don’t understand the importance of securing their IT networks, files and data from the varied and growing risks they face. Yet, as we also know, the number of attacks is growing all the time and the headlines about devastating security breaches continue to appear.
Take this worrying revelation from the leading industry site, Computer Weekly, for example: “. . . authorities have warned network administrators that US Websites and email servers might come under increased attack from Chinese hackers next week.” This is certainly worthy of attention, but it’s also very telling when you realise this quote is actually almost exactly twenty years old, having been published on the site in April 2001.
So, how do we account for the lack of urgency still given to cybersecurity across many of today’s boardrooms two decades later? Without doubt, one of the main reasons is around leadership mindset. For example, many business leaders still pigeonhole cybersecurity as purely an IT ‘problem’. To an extent, that’s understandable given the complex nature of the issues and the role of technology in protecting businesses from risk and attack. But the problem with this approach is that leaders don’t feel willing or able to engage with the issues at stake, with the risk that they aren’t in a position to set the tone for their strategic cybersecurity posture.
In many other boardrooms, the dominant perspectives are equally concerning. Yes, these leaders will accept the general need to invest in a cybersecurity strategy, but don’t give it sufficient focus because they don’t see themselves in immediate danger. This can mean that investment decisions – some of which are vital – are kicked down the road in favour of different, non-cybersecurity priorities.
Other leaders are primarily focused on the need for the investment decisions they make to deliver a definitive financial return. The problem here is that one of the most tangible demonstrations of a successful cybersecurity investment is that things don’t happen – systems, documents, users and data remain out of reach to bad actors, which is exactly what we should all be focused on. For many leaders, however, that doesn’t deliver measurable RoI, so it’s not an investment priority.
Whichever way you look at it, this ‘corporate procrastination’ is a dangerous strategy to rely on. Instead, business leaders need to focus their attention on understanding the nature of risk and the impact a successful cybersecurity attack can have on their ability to operate normally, on their levels of compliance, their reputation – even their outlook to remain in business at all.
Instead, leaders should see their role in the cybersecurity decision-making process in a different light, adopting a mindset where they engage with the issues, the risks, and seek out advice that can better inform their decision making. In doing so they put themselves in a much stronger position to focus time and investment into keeping their organisations safe, viewing cybersecurity as delivering a range of benefits that are as important as any other issues that reach the boardroom agenda.
This doesn’t require leaders to become technology experts, to step outside of their core competencies or to do someone else’s job for them. Instead, it means that they take a proactive perspective on their role in delivering cybersecurity to build an approach where money spent on minimising the risk of breaches and attack is seen as a valuable investment, rather than an inconvenient overhead.