The barbarians are at the proverbial digital gate, and the need to secure our data, processes and organizations is critical to survival in the digital revolution. But this is not by any means a recent development; in 2012, then FBI Director Robert Mueller made the observation, "There are only two types of companies: those that have been hacked, and those that will be.” A glance at news headlines over the intervening five years bears out the wisdom of that statement, and with the average cost of a data breach now reaching around $4 million, this isn’t a matter to be taken lightly. So why, then, are business leaders today still keeping their heads in the sand and not tackling the issue of cybersecurity in the boardroom?
According to our recent Work AHEAD study, business leaders do view cybersecurity as a crucial element of their business today and in the future. When asked which technologies are having the greatest impact on their business today, 96% of study respondents named cybersecurity, and 99% cited cybersecurity when looking out to 2025. By these figures, we can see that the issue of cybersecurity has seared itself into executives’ consciousness, regardless of industry and region.
So why aren’t business leaders giving cybersecurity the attention it so desperately requires? In a recent survey we conducted, only 9% of respondents said their organizations were making cybersecurity a board-level priority, and nearly half (45%) are keeping it as a purely IT initiative. This is a damning indication of the attitude organizations have toward cybersecurity today – the adage of “practice what we preach, not what we do” seems to ring true here.
A recent report from Harvard Business Review gives us some interesting insight into why this is the case. In general, most company boards lack the processes and expertise they require to adequately deal with, evaluate and remediate cyber threats:
- Inadequate process: The majority of boards are well equipped to deal with processes involving financial planning, compliance and growth strategy. Cybersecurity, on the other hand, is lower in the pecking order regarding due process. According to the HBR study, directors ranked the effectiveness of processes related to cybersecurity dead last out of 23 processes surveyed.
- Lack of expertise: The reason boards are not making cybersecurity a priority and instilling processes around the issue comes down to a lack of expertise in the area. A large proportion of FTSE 100 boards consists of financially trained members who are not skilled in dealing with and installing cybersecurity processes.
Boards, therefore, need to double down on cybersecurity processes by procuring adequate expertise. This needs to be Step One in their efforts to build appropriate cyber defenses. In one large organization, the CEO highlighted the issue of cybersecurity by getting directly involved with senior security executives in making decisions, while other organizations have placed divisional chief information security officers in business units, pairing them with senior execs in these roles.
Ultimately, data security is the responsibility of every employee. However, the direction and attitude toward security has to be preached from the C-suite pulpit. Arming senior leadership with expertise and process rigor needs to be addressed early on in the digital security build-out.