As organizations continue to expand their digital footprint, the risks associated with digital business are increasing in quantity and complexity, and the need to provide continuously available services to customers requires organizations to become more reliable and resilient.
Digital transformation projects therefore need to be managed and executed well, which means embedding cybersecurity from the outset. The unfortunate reality, however, is that security continues to be an afterthought for a vast majority of these projects.
Too often, security is seen as slowing down digital transformation rather than enabling its success and, with time pressures to get a project up and running, the lack of sound security considerations is a problem for many organizations striving for true business resilience. With the increasing regularity and publicity of cyber attacks, businesses must realize that their customers are more aware of cyber issues than ever before, making embedded security a critical competitive advantage.
A Dimensional Research survey highlighted that 76% of organizations agreed that security considerations were added too late in their digital transformation projects, meaning that projects needed to be retro-fitted after key decisions had been made. In the same survey, 85% said that the security team could have done a better job if they had been included earlier in the project.
The key challenge for the security team is to reassure the business that no digital transformation project should ever start without understanding its security implications.
The question is: who makes up the security team? And which person is ultimately responsible for driving discussions around the benefits of integrated cybersecurity?
The answer isn’t a straightforward one. According to the findings from our new Risk:Value Report, responsibility for day-to-day security doesn’t seem to fall on any one person’s shoulders – 22% of organizations said the CIO was ultimately responsible for security, compared to 20% for the CEO and 19% for the CISO. 15% thought the buck stopped with the IT director.
It’s a concern that one in five CEOs of large organizations is managing a specialist task like day-to-day security. Are they being spread too thin, and can they truly able to oversee a security function in addition to other critical corporate tasks?
What’s clear is that no one executive function is stepping up to the plate. Our same report even found that, while more people see the need for regular boardroom security discussions, their companies are failing to raise it sufficiently at C-suite level. A worrying disconnect.
A lack of clear leadership at board level, combined with a tendency to hand-off responsibility for information security entirely to the IT department, forms the perfect conditions for an attacker to exploit the gaps this approach can create.
For as long as we continue to see gaps in responsibility, and senior leaders fail to take cybersecurity seriously enough, mistakes in business can and will continue to happen.
As a consequence, we may see that organisations fail to fully embrace the digital initiatives, which, if implemented securely can add tremendous value.
while more people see the need for regular boardroom security discussions, their companies are failing to raise it sufficiently at C-suite level. A worrying disconnect.