Australian IT security leaders fail to close boardroom credibility gap

More than three-quarters (76%) of Australian technology leaders agree that cyberattacks have the highest cost impact among all business risks, yet only about half (55%) think their C-Suite completely understands the magnitude of these imminent cyber risks, according to new research from global cybersecurity leader, Trend Micro.

Moreover, the research showed that losses have to reach $300,000 on average, before the C-Suite is incentivised to take more firm action on cyber risks, highlighting a concerning gap in understanding between IT security leaders and the boardroom.

About three-quarters (73%) of local cybersecurity leaders have felt boardroom pressure to downplay the severity of cyber risks facing their organisation. Of those security leaders who came under pressure from their board, 44% say it is because they are seen as being repetitive or nagging and 41% say that they are viewed as overly negative. More than one-third (37%) claim they have been dismissed out of hand.

“Despite clear evidence of an increasingly aggressive threat landscape, our research is telling of the pressures security leaders are facing in being brutally honest about the realities and risks with their C-level,” Trend Micro ANZ Commercial managing director, Srujan Talakokkula said.

“When cybersecurity resilience is risked for the sake of perceptions, the consequence will be widening security gaps, which can be exploited by attackers. This can have huge ramifications including financial and reputational damage, so it is critical for technology leaders to effectively communicate the risks to the top-management.”

This credibility gap is closely linked to the inability of organisations to align cyber with business risk. In fact, 49% of respondents say that when they have been able to measure the business value of their cybersecurity strategy, they’ve been given more responsibility.

Additionally, 84% believe media attention to a high profile breach or a breach within the business would be the top two reasons that incentivise the board to act more firmly on cyber risk.

Over half (58%) of respondents believe they’ll need an increase in IT communication skills to rectify the situation. But a unified Attack Surface Risk Management (ASRM) platform could eliminate the need for investments by delivering consistent and compelling risk insight—potentially in the form of an executive dashboard.