UK IT leaders say £145K cyber loss needed for execs to act

A striking new report from Trend Micro reveals significant challenges faced by UK IT security leaders in their efforts to highlight cyber risks within the boardroom. According to the research, UK cybersecurity leaders believe a financial loss of around £145,000 from a cyber incident would be necessary to spur executives into taking cyber threats more seriously.

The report "The CISO Credibility Gap," surveyed 100 cybersecurity leaders across the UK as part of a global study. A notable 74% of respondents admitted feeling pressured to downplay the severity of cyber risks to avoid being perceived as repetitive or too negative. Among the respondents, 41% cited concerns about sounding like they were nagging, while 38% feared appearing excessively negative.

This comes in stark contrast to their identification of cybersecurity as the number one risk to their businesses. Despite acknowledging this, less than half (46%) of IT leaders trust that their executives fully understand the cyber risks their organisations face. Furthermore, 33% of respondents have been dismissed as exaggerating the dangers when raising issues with the board. Meanwhile, 36% reported that they are still seen as a mere extension of the IT department and not recognised for their critical role in mitigating business risk.

Security leaders also believe that business priorities often undermine cybersecurity efforts. Instead, businesses are more inclined to prioritise the speed of digital transformation (35%), employee experience (33%), and hybrid working initiatives (31%).

"When IT security leaders are being treated like they are nagging or overly negative by executives that don't fully understand the risks facing their organisation, it's no surprise that they believe that a costly cyber incident is the only way that would get them to act," said Bharat Mistry, Technical Director UK & Ireland at Trend Micro. "It continues to be deprioritised for initiatives and projects that are perceived to deliver greater business value. That's why it's critical that IT security leaders overcome the false perception that cyber is a barrier to value creation."

The study also highlights a significant credibility gap, with 63% of IT security leaders frequently feeling challenged to demonstrate the business value of their strategies. In response, many are reassessing their security approaches to show more business value, focusing particularly on key performance indicators (KPIs) and future-proofing their functions. Two-thirds (77%) have adapted their security strategies to align more closely with business outcomes.

Almost all respondents (89%) reported implementing metrics such as mean time to detect (MTTD), the number of security incidents, cyber awareness training completion rates, and cyber insurance claims to evaluate the success of their cybersecurity strategies. These efforts seem to be paying off, with 98% noting that these changes have led to real improvements in their business, including increased credibility (48%) and more substantial budget allocations (45%).

Looking ahead, cybersecurity leaders recognise the need to upskill their teams to better interpret AI-generated data. They cite this as essential for managing the comprehensive digital attack surface and seizing the opportunities that artificial intelligence offers in enhancing security measures. Over half (53%) see this as a future priority.

The survey was conducted in January 2024 by Sapio Research, encompassing responses from 2,600 IT decision-makers across the Asia-Pacific, Americas, Europe, and North America, including 100 participants from the UK.