Business leaders gain cybersecurity perspective

Print Friendly, PDF & Email

Convincing business executives even in the best of times that they needed to invest more in cybersecurity has always been challenging. A survey of 722- C-level executives conducted by PwC, however, suggests the cybersecurity times are finally changing.

The survey finds nearly half of respondents (49%) said as a result they are increasing investments in cybersecurity and privacy. More than three quarters (79%) also said they are revising or enhancing cyber risk management. A full 84% also noted they are either monitoring closely or acting on potential regulatory changes, the survey finds.

However, the PwC survey is telling in the fact that despite all the cybersecurity threats faced it can be inferred that 51% of responders are most likely either keeping their current cybersecurity investments the same or are looking to outright reduce them.

Naturally, there is always a temptation to reduce cybersecurity budgets during any downturn, but it is clear cybersecurity is now viewed within a larger business context. Historically, cybersecurity was viewed mainly as a cost of doing business that was funded as part of the overall IT budget. Most IT budgets are about two to three percent of annual revenue, so the percentage of that budget allocated to cybersecurity has been for all intents and purposes relatively negligible as a percentage of revenue.

The thing that is changing the way business leaders think about cybersecurity is that as organizations invested more in digital business transformation initiatives in the aftermath of the COVID-19 pandemic more, business executives started to appreciate the level of risk cyberattacks represent. An increase in ransomware attacks that coincided with that digital business shift added additional perspective as it became clear that an entire business could be crippled to the point where it might actually fail. Add in the potential global cyber warfare in the wake of the invasion of Ukraine and it’s never been easier for cybersecurity professionals to get the attention of C-level executives.

The challenge, of course, is a lot of cybersecurity professionals don’t always understand how business executives think. From the very first day of business school, they are trained to evaluate risk versus reward. Just because something is risky it does not always follow it should not be attempted. Nothing ventured is still nothing gained. Business executives may implement some additional measures to reduce risk but they are almost never going to completely ignore a business opportunity because of cybersecurity concerns. As such, it’s critical for cybersecurity professionals to remember when engaging with a C-level executive that they don’t typically have the same fear of risk. Every decision for them is a game of probabilities involving degrees of risk. Most of the time they want cybersecurity teams not to prevent every risk but rather simply narrow the odds more in the favor of the business.

Cybersecurity professionals generally enjoy the privilege of being able to decide what type of organization they want to work for given the current chronic shortage of cybersecurity expertise. There’s not much sense in working for an organization that doesn’t take cybersecurity seriously, especially when it will be the cybersecurity team that is blamed when inevitably something goes horribly wrong.

Nevertheless, cybersecurity professionals before giving up should ask themselves if they are really framing the level of cybersecurity risk the business is taking on in a way a business leader can fully appreciate. Unfortunately, the answer to that question comes in the form of a negative more often than far too many cybersecurity professionals still yet realize. As such, whenever there is a cybersecurity incident there really is plenty of blame to go around so perhaps the better of valor now might actually be to start the conversation anew but this time from a much more empathetic perspective.

Scroll to top