The challenge comes as businesses are becoming increasingly reliant on digital and online systems, making it all the more difficult to achieve a good understanding of cyber risks across the whole company.
In the digital era, new points of entry are opening up for most business from email to cloud environments, from mobility to applications, from the payment gateway to the datacentre and many more.
Information security professionals have a key role in digital transformation processes to ensure the business understands the risk, implements the necessary mitigations and accepts the residual risk.
But engaging with business leaders and boardrooms on cyber security can sometimes be as challenging as understanding the threat landscape in the first place, according to information security professionals.
Osterman Research shows that only 37% of IT security professionals believe risk is reduced as a result of conversations with their boards.
Many feel overlooked, ignored and underappreciated when trying to get a budget to address security holes, says Tim Holman, chief executive at 2-sec security consultancy.
“The challenge we face isn’t the business failing to grasp cyber risk, it’s addressing the communications gap between technical staff and business owners,” he says.
Cyber insurance a grudge purchase for business owners
Business owners also do not like spending money on anything that does not make them money, says Holman, adding that even cyber insurance is a grudge purchase.
“I’m never fond of paying a high premium, but I accept it if there’s a niggling feeling that I could lose my livelihood and house if I fail to get the right insurance cover,” he says. “And mitigating cyber risk is exactly the same. If companies don’t do it, they could go out of business.”
But businesses tend to be overconfident in existing defences and often doubt they could be seriously affected by a cyber attack, leaving infosec pros with the challenge of persuading them there is a real need to mitigate security risks.
Holman cautions against demanding cash after something has happened to plug a hole. “It’s about taking a proactive stance, dealing with cyber security before something happens, and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.
“I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business,” he says.
If that does not work, Holman suggests a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.
“Simulate a phishing email, put a malware test file on your CEO’s laptop, take your CFO’s laptop away for an hour and simulate critical hardware theft. Then leave a suspicious package in the mail room or simulate a web server hack to raise awareness over time, which will ultimately loosen the purse strings and get support for implementing change.”
Raising cyber security awareness
Cyber security is everybody’s responsibility, says Maxine Holt, principal analyst at the Information Security Forum (ISF). “Start by raising awareness across the organisation because people are an organisation’s biggest asset and also potentially its biggest risk. How these people take decisions and behave in key moments is essential to strengthening resilience.”