Gartner provides eight ways in which your organisation may be falling short when it comes to cyber security, leaving you vulnerable to an attack

Cultural and systemic issues may be leaving your organisation vulnerable. Many business leaders still believe cyber security is a problem that can be solved if they invest enough money, and hire the right people with the right technical knowledge who will keep them out of the headlines.

In fact, it’s often systemic and cultural issues between IT and non-IT executives, not technical competency or funding, that leave organisations exposed to cyber security attacks.

“These issues present opportunities for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritise security,” says Paul Proctor, Distinguished VP Analyst at Gartner.

You can reduce the risk of cyber attacks by addressing these leading causes of failure within your organisation.

1. Invisible systemic risk

Businesses make decisions every day that negatively impact their security readiness: for example, refusing to shut down a server for proper patching or choosing to keep working on old hardware and software to save budget. These unreported decisions lead to a false sense of security and increase the likelihood and severity of an incident.

Action: Recognise, report and discuss systemic risk as part of normal security governance.

2. Cultural disconnect

Non-IT executives still see security as something that is “just there”, like air or water. This means it isn’t considered a part of business decisions. For example, a business leader requesting a new application is unlikely to include “security readiness” as a requirement.

Action: Put cyber security into a business context so executives can see the impact of their decisions.

3. Throwing money at the problem

You can’t buy your way out — no matter what you spend, you won’t be perfectly protected against cyber attacks. By trying to stop every risky activity, you will likely damage your organisation’s ability to function. 

Action: Avoid overinvestment in security that raises operational costs but damages the organisation’s ability to achieve business outcomes.

4. Security as “defender”

If security officers are treated as (and act as) defenders of the organisation, it creates a culture of ‘no’. For example, they might block the release of a critical application due to security concerns without considering the business outcomes the application supports.

Action: Position security as the function that balances the need to protect with the need to run the business.

5. Broken accountability

Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage. 

Action: Reward those who make decisions that best balance the need to protect with the need to run the business.

6. Poorly formed risk appetite statements

Organisations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low-risk activities, as this can create invisible systemic risk.

Action: Create mechanisms that allow for the acceptance of risk within defined parameters.

7. Unrealistic social expectations

When a headline-grabbing security incident happens, society just wants heads to roll. While this isn’t fair, it’s the result of decades of treating security as a black box. No one understands how it really works and as a result, when an incident does occur, the assumption is that someone must have made a mistake. 

However, society is not going to change until organisations and IT departments start treating and talking about security differently.

Action: Be vocal about balancing the need to protect with the need to run the business rather than scapegoating.

8. Lack of transparency

Some boards and senior executives simply do not want to hear or acknowledge that security isn’t perfect. Board presentations are filled with good news about the progress that has been made in security, with little or no discussion about gaps and opportunities for improvement. We know of one company that even decided to move security under legal counsel so that discussions are privileged.

Action: To tackle the challenges, IT and non-IT executives must be willing to understand and talk about the realities and limitations of how security works.

Learn more about cyber security and other top IT topics at the Gartner IT Symposium/Xpo™ 2022 conference, 7 – 10 November, in Barcelona, Spain.

Related:

Gartner top strategic technology trends for 2022 — Gartner expects these 12 technology trends to act as force multipliers of digital business and innovation over the next three to five years. Here’s your quick guide to what the technologies are and why they’re valuable.

Promoting diversity in tech, and encouraging the next generation of cyber security professionals — Ahead of the Women in IT UK Summit, Jessica Figueras, vice-chair at the UK Cyber Security Council, spoke to Information Age about promoting diversity in tech, and encouraging cyber professionals of the future.