Cybercrime is as natural and irresistible a force of digital socioeconomic life as earthquakes are to the physical world. Left unaddressed, vulnerabilities in cybersecurity can hamper the pace of digital innovation, batter shareholder confidence and public trust, and ultimately open the ground beneath your feet, swallowing up your organisation.
Overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness). It is easy to understand the distinction between these in our own lives. You know that you should have anti-virus software on your device, but are you ready to be hacked? Are you ready to contain the damage of digital identity theft?
Assessing the cybersecurity readiness, awareness and vulnerability of 1,530 global corporate leaders is the foundation of our new report at Goldsmiths, in collaboration with Nasdaq and Tanium – The Accountability Gap: Cybersecurity and Building a Culture of Responsibility. This is the first ever study that seeks not just to collate the opinions of global executives and non-executives but to benchmark their individual readiness and awareness of cybersecurity challenges.
Subject matter experts helped us identify eight challenges that make up cybersecurity vulnerability in a company: accountability, responsiveness, threat intelligence, risk appetite, human behaviour, legislation and regulation, and cyber literacy.
Any organisation that manages and maintains sensitive data should consider how corporate leadership and its board oversees cyber risks. The accountability gap is the difference between where corporate governance needs to be and where it actually is in relation to cybersecurity.
Our findings suggest three routes to bridging this gap: culture change, fostering innovation, and increasing visibility.
Creating a culture of constant vigilance and increasing competency at board level, and then throughout the company, can make cybersecurity a priority enterprise risk, while also reducing vulnerability. But this is easier said than done. Often, basics protection measures are not in place and the differences between businesses can be stark.
Only 13 per cent of the most vulnerable non-executive directors (NEDs) are briefed regularly on relevant cybersecurity legislation and regulation, and just 8 per cent are regularly updated on the types of threats and sources that are pertinent to their businesses. This compares to 100 per cent and 96 per cent respectively of the least vulnerable. The most vulnerable are in this category precisely because they lack the relevant knowledge, so cannot develop a strategy or allocate resources for acting.
There is a marked hesitance to speak up among those NEDs who didn’t consider themselves knowledgeable about “cyber”. Most are not digital natives and there is a common culture of complacency – often a “leave that to the techies” spirit – and an over-reliance on specialist advice. Only 51 per cent of NEDs in the UK can interpret a cybersecurity report with the same level of competency as a financial statement. As one prominent non-exec told us: “Our chief information security officer told us they had stopped 1.2m attacks in the last quarter and we awarded him a bonus. Later I realised I didn’t have the first clue if that was a lot or a little, or even how many got through and their impact.”
Business and government leaders grapple daily with the double-edged sword of digital innovation: as new technologies introduce unprecedented levels of efficiency, speed and ability to the world, a new wave of cybersecurity risks that threaten that very technology – and the people who use it – immediately follows.
Corporate governance of cybersecurity is as much about protecting the business as opening up new opportunities to compete and grow. Security by design is challenging – not least because cybercriminals are also relentlessly innovating. “Threat is going up, sophistication is going up, the number of criminals is going up, the risk for the criminals is going down,” says Troels Oerting, group chief information security officer at Barclays.
Like our other calls to action, network visibility is no sure thing – even in the largest organisations. Of the most vulnerable C-level executives, 98 per cent are not confident that their organisation tracks all devices and users on their networks at all times. And 90 per cent are not regularly updated about the types of cybersecurity threats their organisation faces. Still, 74 per cent of all our panellists intend to increase spending on security products in the next fiscal year.
As seismologists will tell you, earthquakes are notoriously difficult to predict. Cybercrime strategy is about managing risk and recognising the foreshocks, all the way from the front line up to the boardroom.
A copy of the report is available at tanium.com/accountabilitygap