What Executives Get Wrong About Cyber Security Risk & Risk Management

RiskXchange What Executives Get Wrong About Cybersecurity Risk Management RiskXchange The leader in Third-Party Cyber Risk Management
RiskXchange can regularly monitor and mitigate cyber security risk to prevent unnecessary exposures.

With the average cost of a data breach now hitting a staggering £3 million, CEOs and company executives all over the world are becoming increasingly more nervous about their cybersecurity posture. Not only is company data at risk but so are reputations and customer trust.

The problem that security teams are facing time and time again is that although executives are more than familiar with financial risk management, they are not so much onboard when it comes to understanding cyber risk. The most common misconception today is that cybersecurity and risk management are technology problems. What business leaders are failing to realise is that cybersecurity is as much a business problem as financial risk.

Let’s take a closer look at what executives get wrong about cybersecurity and risk management.

Dangers of focusing on technology

Executives without a computer or technical background tend to think of cyber risk in terms of technological threats. This can be a catastrophic way of thinking for businesses in today’s digital age.

When non-technical business leaders are under the impressions that cybersecurity is a technology problem, it makes cyber risk scarier than ever before because they don’t fully understand it. So they fall into a trap of managing cyber risk proactively rather than pre-emptively, they will outsource everything without understanding what’s going on, or will try to buy their way out of a breach. What they should be doing is investing in long-term solutions that will aid their internal security teams, encourage them to work alongside external cybersecurity firms to continuously monitor and react to potential threats and invest in solutions that will protect their networks and data.

The Harvard Business Review recently wrote about the pitfalls of cybersecurity efforts that focus only on technology. When they do only focus on technology, the result is company leaders who are poorly informed and organisations that are poorly protected. Discussions of cyberthreats end up being filled with specialised tech jargon, and senior executives can’t participate meaningfully in them. The responsibility for addressing risks then gets relegated entirely to cybersecurity and IT staff, whose attention falls mainly on corporate computer systems. The outcome tends to be a long, ill-prioritised list of mitigation tasks. Since no company has the resources to fix every cybersecurity problem, important threats can go unaddressed.

The HBR continues that a more fruitful approach is to adopt the view that cybersecurity should focus more on threats’ potential impact on a business’s activities. Say you’re an executive at a chemical company. Instead of asking what cyberattacks might be possible on your computer systems, ask, how could a cyberattack disrupt your supply chain? Or expose your trade secrets? Or make you fail to meet your contractual obligations? Or cause a threat to humanity? That adjustment might seem minor, but when leaders start with crucial activities, they can better prioritise the development of cyber defences.

Of course, it must be made clear here that using an internal security team, external cybersecurity firm or purchasing a security solution is certainly not a bad move. It is the fundamental basis of what will save your company from data breaches or cyberattack. But what should be added is that although the above-mentioned steps are important parts of any cybersecurity strategy, they will not fight off attack on their own. It is people who will help you do that with the technology they possess. So, an engaged business leader who understands what’s needed and what should be done is key when it comes to delivering an effective cybersecurity strategy. It should now be clear why cybersecurity isn’t solely about technology, but mainly about people and business.

Cybersecurity to protect your business

An executive’s job is to align cybersecurity with the organisation’s overall business goals. They should look at the company’s objectives and needs and make a list of security priorities instead of focusing on the technology itself. Some of the following questions might be asked:

  • Which assets need to be prioritised and protected the most? 
  • How might a cyberattack disrupt the organisation? 
  • Which vendors are not secure? 

Once a security assessment has taken place and a list of priorities has been realised, business leaders can work with IT and security teams to protect company assets and to prevent a breach.

Is cybersecurity a people problem?

A majority of cyberattacks may very well be carried out via the use of technology, but they are not particularly technologically sophisticated. Humans are the key. For example, social engineering attacks rely on humans falling for a scam or making bad decisions to be effective. Phishing attacks are on the rise, malware and ransomware attacks are also widespread. Good cybersecurity measures, company-wide training and staff common sense are the best ways to repel such an attack.

Cybersecurity threats also include simple human error, like weak passwords, configuration errors, and other failings that can leave your organisation wide open to attack. Maintaining a strong security culture within your organisation is the best way to counter such threats. Cybersecurity isn’t only a job for the IT and security teams, but for everyone who works within the organisation – they must be educated and always on the lookout for anything that could cause damage to your organisation.

A security-first culture can only come from the top down. Once your workforce recognise that the CEO and company executives believe in cybersecurity, they’ll jump onboard too. 

Get in touch with RiskXchange to find out more on how to improve your cybersecurity posture.

How RiskXchange can help

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers.

With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks. 

About RiskXchange

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world. 

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.