Sally Morris
Cyber Captains share their view on the choppy seas of cyber security
The UK’s Department for Digital, Culture, Media & Sport has published its “Cyber resilience captains of industry survey 2021”, which highlights cyber threats to be “high risk” in comparison to all other risks that companies face.
The survey received responses from “Captains of industry” – which are comprised of Chairs, CEOs, COOs, and other executive board directors across finance, technology and utilities (among others). The survey found that nine in ten Captains said that they consider cyber threats to be a high or very high risk to their firms.
Interestingly, while 92% of respondents agreed that they integrate cyber considerations into their wider business areas, only 83% of these felt that their board was well informed enough to make decisions about cyber resilience. Moreover, only 77% of Captains said that they included discussions about cyber security on at least a quarterly basis.
Are boards adapting to meet cyber risk?
The last few years have been overshadowed by the global pandemic, which pushed individuals and companies online like never before. With that in mind, in 2020 nearly all Captains (99%) said that they had a cyber strategy in place, with 86% allocating a dedicated budget to this strategy. Despite this, only 58% of respondents said that the cyber strategy aligned with their business goals, and even more surprisingly only 20% had integrated a cyber strategy within their IT strategy.
What is particularly notable in the survey findings is the high percentage of organisations who have put documentation in place to manage cyber risks. Of the firms asked, more than 95% said that they had written documentations for cyber security, including risk registers and business continuity plans.
However, while this documentation is in place, there is a stark contrast between documentation and implementation. Cyber risk is a constantly evolving beast. As we saw over the last year, cybercriminals are quick to innovate around new environments and systems and utilise new methods to target businesses and individuals alike. With that in mind, it is striking to see that 18% of boards discuss cyber once every six months, and 51% discuss it on a quarterly basis. Even more shockingly, 1% said they never discuss cyber risk.
How can boards improve?
Understanding cyber risk is difficult. Implementing strategies to mitigate those risks is even harder, especially given the ephemeral nature of cybercrime. When asked how boards could be better supported to make better decisions about cyber, 34% said that they needed better education or training for their board.
Moreover, 24% said that they needed greater engagement with third party experts, which might imply a lack of cyber experts working within organisations – especially when only 13% said they would like greater engagement from internal company experts. 21% of Captains said they would benefit from the provision of regular updates about cybersecurity risks.
CUBE comment
On a high level, the results of this survey are encouraging. Boards are aware of cyber risks and are implementing documentation to mitigate and support that risk. However, when you drill down into the specifics, there are certainly areas for improvement – and in some cases areas for concern.
It long seems to have been the thinking within organisations that creating documentation and annual training is enough to keep risk at bay. As we’ve seen through a raft of recent data breaches and enforcement action, cyber risk mitigation needs more. Cybersecurity needs to be embedded within organisations from the top, down. It should be part of a company’s culture and goals, not simply a policy that’s revisited every year.
With that in mind, it’s interesting – and somewhat contradictory – that, while nine out of 10 of Captains consider cyber security a high or very high risk, only 51% are having discussions around the topic quarterly, with 18% only discussing it quarterly. Cyber is ever evolving and innovative. As technology grows, so too does the cyber risk.
Cybercriminals are not precious; they will find weaknesses within an organisation and pinpoint these gaps. If boards aren’t discussing cyber on a monthly basis, the cracks will undoubtedly begin to show.
Which leads me to the 21% of Captains that have said they would benefit from the provision of regular updates around cyber risk. While it’s good to see boards acknowledging that they aren’t necessarily abreast of the latest information, it’s surprising that the figure isn’t higher.
At CUBE, we’re seeing thousands of regulatory updates being published daily. Given the increased regulatory focus around cyber, it stands to reason that a vast proportion of these regulatory updates will concern cyber. Of course, we can’t expect board of directors to keep on top of these updates, but the compliance, data and IT departments within organisations will.
CUBE can help you keep abreast of every regulatory change and make sense of it for your business.