Prioritising cyber in a cost of living crisis
The Department for Science, Innovation and Technology (DSIT – a recent amalgamation of parts of DCMS and BEIS) has just released its seventh Cyber Security Breaches Survey: an annual data gathering exercise across businesses and charities on their approach to cyber security. In the first of a series of blogs reflecting on its findings, we consider the success story of Board engagement and accountability for cyber security, and discuss how to maintain that focus and momentum when other risks compete for seniors’ attention.
Increasing Board engagement is a cyber security success story
According to the 2023 Cyber Security Breaches Survey, eight in ten large businesses (81%) and two thirds of medium businesses (65%) update their senior team at least quarterly on the state of their organisation’s cyber security, underpinned by a formal cyber strategy in 68% and 36% of large and medium businesses respectively.
Additionally, around seven in ten businesses (71%) and six in 10 charities (62%) reported that cyber security is a high priority for their senior management this year, and in approximately 30% of both businesses and charities, that there is a board member or trustee with explicit responsibility for cyber security.
These figures are a cyber security success story. Getting senior management and boards invested in cyber risks has traditionally been one of a CISO’s toughest challenges, with executive engagement hampered by lack of awareness, understanding or interest. The experience of one of our own Principle Defence team, who was once told by a company’s Chief Legal Officer not to report on cyber risks, “because if we don’t know about it then we can’t be held liable”, was not uncommon.
Time are changing however: recent high profile convictions of individual executives over cyber security failures, the ongoing litany of breaches within big-name and well-protected businesses, and the successful Board-level campaigns conducted by the National Cyber Security Centre (NCSC) are bearing fruit.
Figure 1: How often directors, trustees or other senior managers are given an update on any actions taken around cyber security (source: DSIT 2023 Cyber Security Breaches Survey)
Figure 2: Percentage of organisations over time where cyber security is seen as a high priority for directors, trustees, and other senior managers (source: DSIT 2023 Cyber Security Breaches Survey)
However, despite the encouraging numbers reported in the study, the data shows that the priority given to cyber security has actually declined in about 10% of businesses and charities surveyed this year, as compared to 2022. DSIT’s report suggests that, where focus has dropped, it is likely due to competing business priorities and challenges, understandable in a year that has experienced spiralling energy costs, supply chain disruption, rapid inflation and widespread industrial action. The data suggests that the impact has been most concentrated in small and micro-businesses, where cyber was already a more marginal priority, and where investment can only stretch so many ways.
However, despite the encouraging numbers reported in the study, the data shows that the priority given to cyber security has actually declined in about 10% of businesses and charities surveyed this year, as compared to 2022. DSIT’s report suggests that, where focus has dropped, it is likely due to competing business priorities and challenges, understandable in a year that has experienced spiralling energy costs, supply chain disruption, rapid inflation and widespread industrial action.
The data suggests that the impact has been most concentrated in small and micro-businesses, where cyber was already a more marginal priority, and where investment can only stretch so many ways.
Fighting for priority - making cyber a comparable business risk
So how can cyber security professionals maintain hard-won momentum and senior attention on cyber risks in the face of competing priorities and resourcing challenges? And is it ok that cyber isn’t always at the top of a business’ risk register?
The basis of good risk management is to know your risks, and then be able to compare between them. However, cyber risk assessment (like that of many other security threats) typically suffers from a lack of comparability with more historically mainstream risks. How is a Board member meant to make informed resourcing choices between a known contractual liability of £X million, and a cyber attack risk of ‘high’? Enabling decision-makers to compare apples with apples by quantifying cyber risks in the same way as any other business risk is the first step in enabling logical decisions about prioritisation. Methodologies like Factor Assessment in Information Risk (FAIR) do a great job of putting a ££ number to nebulous threats, and can help cyber security professionals talk the same language as their CFOs.
Another good tactic is to ensure these risks are reviewed – and properly discussed – regularly. The survey’s figures on frequency of Board reporting are encouraging, but they don’t tell us about the quality or extent of discussion of cyber risks in these senior meetings. A risk register buried on slide 76 of a corporate pack may technically fulfil reporting requirements, but is unlikely to generate a strategic discussion about how risks are evolving and how priorities might need to change. Good risk governance means ensuring seniors are equipped with the data and the understanding to make informed decisions that take into account the changing external threat landscape and evolving internal resourcing demands. The fact that the survey indicates that only 16% of corporate annual reports published by medium-sized businesses in the past year mentioned cyber, suggests that this might not always be the case.
The primary factor underpinning poor cyber security maturity in most organisations is a lack of risk understanding, resulting in skewed risk appetites that don’t appropriately reflect the organisation’s risk exposure. If your organisation has identified, assessed and analysed its cyber risks, and you have confidence that your analysis is up-to-date and reviewed regularly, it’s not the end of the world if your team isn’t top of the priority list this year. After all, it may mean that, rather than failing to make an impact on your seniors, you’ve been doing something right.