Study: 90% of IT Decision Makers Believe Organizations Compromise on Cybersecurity in Lieu of Other Goals

Approximately 90% of IT decision makers claim their businesses would be willing to compromise on cybersecurity in favor of digital transformation, productivity or other goals. This is according to research conducted by cybersecurity software company Trend Micro. The company also commissioned Sapio Research to interview 5,321 IT and business professionals from enterprises larger than 250 employees across 26 countries.

The study found 82% of decision makers have felt pressured to downplay cyber risks to their board.

Bharat Mistry is U.K. technical director for Trend Micro.

Trend Micro’s Bharat Mistry

“IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative,” Mistry said. “This will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure.”

Almost a third of decision makers claim self-censoring is a constant pressure, he said.

Organizations need to discuss risk in a way that frames cybersecurity as a fundamental driver of business growth. Additionally, they need to bring together IT and business leaders who are willing to fight for the same cause.

Reframing Cyber Risks

Phil Gough is head of information security and assurance at Nuffield Health, the U.K.’s largest health care charity.

“IT decision makers should never have to downplay the severity of cyber risks to the board. But they may need to modify their language so both sides understand each other,” Gough said. “That’s the first step to aligning business — cybersecurity strategy, and it’s a crucial one. Articulating cyber risks in business terms will get them the attention they deserve.”

Nuffield Health’s Phil Gough

It will help the C-suite recognize security as a growth enabler, not be a block to innovation, he added.

The research reveals that just half of IT leaders and slightly more than one-third (38%) of business decision makers believe the C-suite completely understands cyber risks. However, some think this is because the topic is complex and constantly changing. Many believe the C-suite either doesn’t try hard enough (26%) or doesn’t want (20%) to understand.

Moreover, the pandemic adds to this complexity, making companies more vulnerable to cybersecurity threats.

Claiming Responsibility

There’s also disagreement between IT and business leaders over who’s ultimately responsible for managing and mitigating risk. IT leaders are nearly twice as likely as business leaders to point to IT teams and the CISO. Respondents (49%) claim that cyber risks are still being treated as an IT problem rather than a business risk.

Furthermore, this friction causes potentially serious issues. Approximately one-half (52%) of respondents agree that their organization’s attitude toward cyber risk is inconsistent and varies from month to month.

However, about one-third (31%) of Trend Micro survey respondents believe cybersecurity is the biggest business risk today. And two-thirds (66%) claim it has the highest cost impact of any business risk. The study’s authors say this is a seemingly conflicting opinion given the overall willingness to compromise on security.

There are three primary ways respondents believe the C-suite will sit up and take notice of cyber risk.

• Sixty-two percent think it would take a breach of their organization.
• Sixty-two percent say it would help if they could better report on and more easily explain the business risk of cyber threats.
• Sixty-one percent say it would make an impact if customers start demanding more sophisticated security credentials.

Marc Walsh is enterprise security architect at Coillte, an Ireland-based commercial forestry business.

Coillte’s Marc Walsh

“To make cybersecurity a board-level issue, the C-suite must come to view it as a true business enabler,” Walsh said. “This will prompt IT and security leaders to articulate their challenges to the board in the language of business risk. And it will require prioritized, proactive investments from the boardroom — not just band-aid solutions following a breach.”