Cyber Resilience is Still an Afterthought

Business leaders, not just IT, are key to understanding the profound connection between the organization’s survival and cyber resilience, however for many of them, security is still an afterthought. 

A recent report assessed how business leaders view cybersecurity and resilience today, assessing where they see cybersecurity in the hierarchy of organizational priorities, how they are allocating budget and resources, and the dynamic between IT and C-level executives regarding cyber resilience. Unfortunately, 72% reported that their organizations do not specifically invest in cyber resilience beyond cybersecurity, and 61% revealed there’s a lack of understanding about cybersecurity at the board level. Thus, it is reasonable to infer that business leaders continue to underestimate the harm a major cyber incident could create for them and their customers.                    

Cyber Resilience is not Considered an Initiative for the Whole Organization

According to the report, 74% of respondents say cyber resilience is primarily the responsibility of cybersecurity teams and is not an enterprise-wide priority. For industries such as healthcare and retail, the dependence is even higher, increasing to 76% and 83% respectively. Cyber resilience requires C-suite and board support, however, as it currently stands, some IT teams are managing IT and security without executive support. 63% of respondents say leadership doesn’t prioritize cyber resilience, and 72% admit that their governance team doesn’t understand it.

What’s Preventing Cyber Resilience?

The answer varies for every organization, but there are common indicators that demonstrate why business leaders are making decisions that prevent them from establishing cyber resilience. In today’s environment especially, dynamic computing has shifted the digital transformation journey for most organizations, causing a constant weighing of innovation versus risk. 74% of business leaders reported the opportunity of computing innovation outweighs the corresponding increase in cybersecurity risk. 

As such, essential security considerations are often missed. Whether it be vulnerabilities in the software and physical supply chain, improperly launched applications that compromise user privacy, data migrated to the cloud without proper configuration settings, or unsecured endpoints–the consequences of cyber resilience not being prioritized can leave an organization extremely vulnerable. 

One key disconnect, as revealed in the report, is that C-level executives are more likely to report that cybersecurity is discussed as part of corporate-level decision-making than their teams. Specifically, less than half of non-C-level respondents say cybersecurity is typically included in computing planning (40%) or corporate strategy discussions (46%).

Furthermore, silos continue to prevent businesses from implementing and enforcing organization-wide processes that support resilience. Instead, businesses frequently have ad hoc, and inconsistent measures implemented. As revealed in the report,47% of organizations have cybersecurity processes that are standardized across the enterprise, and only 35% report having a formalized incident response plan. Companies with more than 10,000 employees are nearly 30% more likely than those with less than 2,000 employees to have standardized processes, and about 10% more likely to have formalized incident response mechanisms in place.

Most importantly, business leaders continue to prioritize funding cybersecurity emergencies over proactive investments into resilience, as reported by 77% of business leaders. The report also indicates that for 68% of those at the leadership level, cybersecurity resilience initiatives aren’t factored enough into the organization’s budget. Instead, budgets are typically allocated to reacting to cybersecurity incidents, with the top drivers being new compliance requirements (46%), competitor breaches (42%), and internal breaches (38%).

Moreover, only 26% of business leaders prioritize cybersecurity spending in mergers and acquisitions (M&A) scenarios, and 78% believe measuring cybersecurity investments based on ROI is outdated.

Closing the Cyber Resilience Gap

It’s imperative to view cyber resilience as a strategic business priority, not just a technical issue, and it starts with prioritizing IT and building security into everything you do. A holistic approach encompassing all aspects of the organization is crucial, and the report underscores the critical need for business leaders, not just IT professionals, to recognize the strategic importance of cyber resilience.

As organizations work towards closing the cyber resilience gap, some indicators show positive signs. The adoption of Cybersecurity as a Service (CSaaS) is increasing, with 32% of organizations reporting outsourcing cybersecurity needs versus managing them in-house. Additionally, over 40% of organizations reported relying on external experts for strategic planning, security architecture, and data management -- reflecting the benefits of strategically extending cybersecurity teams with specialized service providers.

Budget allocations are also shifting in a positive direction. Since 2023, there has been a notable increase in resources dedicated to cybersecurity to align with evolving regulatory requirements, such as deeper reporting on software bill of materials (SBOMs), and the demands of dynamic computing.

Cyber resilience is not merely a cybersecurity issue, it’s a comprehensive business initiative integral to business success. Every business leader should strive to steer their organization towards a secure future, and achieving this requires a fundamental shift in mindset and approach.