News & Analysis

Cyber Risk Disconnect at the C-Level

For the past few years, especially in the post-pandemic world, there was considerable commentary around how cybersecurity has finally entered the boardrooms as a topic to be debated by the leadership team. However, a new survey indicates that all the talk may not have resulted in any significant change. 

A new industry survey shows how IT personnel at varying levels of seniority tend not to see eye-to-eye when it comes to interpreting risk. Each of these individuals has a very different view of the biggest challenges facing their IT or security departments. Take a look at some of the numbers that came from the survey: 

  • About 59% of directors and 51% of managers stated that their largest day-to-day challenge consists of the sheer volume of cyber threats that they need to keep pace with
  • In contrast, 52% of information technology professionals at the SVP level expressed that their most significant challenge is that the C-suite remains uninformed about cyber and IT risks
  • Adding to the complexity, information technology professionals at the C-suite level described insufficient funding (42%) and leadership turnover (40%) as their biggest challenges.
  • When it comes to cyber/ IT risk in strategic planning, only 37% of managers said that they felt extremely confident about their leadership’s approach. However, 63% of SVPs viewed cyber/IT risk plans favorably, and 56% of the C-suite thought along the same lines.

So, what does this mean for the cyber universe?

The findings described above reveal a deep disconnect between how leaders at varying levels think and feel about cyber/IT risk and its governance. 

One expert says that part of the disconnect may stem from the fact that upper-level management may not always recognise that vulnerabilities aren’t necessarily something that you can plan for. In turn, upper-level management may inherently feel better about cyber risk than someone who’s ‘in the weeds’ and has a more nuanced understanding of how threats work.

Another possible reason for the disconnect is that upper-level leaders are trained to solve strategic problems, and are therefore accustomed to thinking about risk through one particular lens. Rank-and-file information technology professionals are trained to monitor alerts (among other things), and thus perceive risk from an entirely different perspective.

However, there’s consensus over some issues

This survey also showed that IT/security professionals across leadership levels are concerned about under-staffing throughout the information security and Governance, Risk and Compliance (GRC) departments.

Eighty-percent of respondents worried that their information technology leaders were under-resourced, while 79% agreed that turnover represented a significant problem.

More than 80% of directors say that they raised concerns around cyber/IT risk pertaining to specific business initiatives with company leadership. However, just 30% of those at the C-level said that they shared those concerns with other senior corporate leaders, implying that there isn’t always the possibility of resolving issues due to resource constraints.

To that effect, it’s imperative that organizations invest in risk and pursue technologies that will drive efficiencies, enable the business and enhance business growth prospects.

Leave a Response