By Guy Golan, Co-Founder and CEO at Performanta
The way in which businesses approach cybersecurity and implement defence strategies is outdated and inefficient. And it shows.
UK Government research from 2023 revealed that 32% of organisations recall a breach or attack on their security in the last twelve months. This figure rises to 59% for medium businesses and 69% for large companies.
To contend with emerging technologies used to create increasingly diverse threats, organisations worldwide need to change the approach to cybersecurity and move beyond the bare minimum requirements. They need to ditch traditional practices typically founded on compliance and regulation, and adopt new methodologies designed to achieve true cyber safety.
If they don’t, we will only see the above numbers continue to rise.
Why are current cybersecurity approaches failing to deliver?
From SMEs to large enterprises, businesses have traditionally aligned cybersecurity efforts to compliance. While compliance forms the first step for digital security, cyber experts understand that it is the bare minimum standard of defence.
Cybersecurity compliance contains certain practices and protocols under a single umbrella without guidelines tailored to meet organisational needs. For example, regulated industries such as military or pharmaceutical companies intrinsically require more security than other sectors, but simply complying with cyber regulations fails to take this into account.
Treating compliance as the end point rather than the beginning of a journey towards cyber safety is a dangerous oversight for businesses. If cybersecurity becomes a tick-box exercise, instead of a proactive and diligent approach toward championing business safety, companies can become complacent when deliberating risk.
Tick-boxing compliance practices lead to siloed defence departments. What this usually looks like is IT and security teams, helmed by the CISO or CTO, having sole control over cybersecurity measures without the support of other relevant stakeholders. This is the reality, yet Accenture’s latest State of Cybersecurity Report found that 98% of C-Suite level executives believe cybersecurity is the responsibility of the entire C-suite.
However, awareness of cyber threats across enterprises demonstrates further disjunction between cyber teams and key decision-makers; Performanta research found 60% of security leaders do not feel fully supported by the board. Unfortunately, as the C-suite continues to spin an ever-increasing number of plates, cybersecurity focus is lost as long as compliance is adhered to.
If stakeholders do not understand the risks posed to their business, cybersecurity departments are unlikely to receive the support they need to pursue cyber safety. Equally, siloed cybersecurity efforts lead to misunderstanding and oversight in the C-suite’s cyber decision-making, as they do not fully recognise the risks at hand.
How does cyber safety solve traditional cybersecurity challenges?
To combat outdated and insufficient ‘best practices’ requires realignment to the concept of true business safety. Striving for cyber safety means changing current practices and adherence to the three core principles of visibility, transparency, and contextualisation. In doing so, businesses place themselves in better stead to address operational challenges.
Reaching a higher level of visibility and transparency among key stakeholders is fundamental. A major part of this involves making cybersecurity accessible to those outside of the security team. Research shows that almost half (48%) of C-level security specialist respondents stated that security jargon and confusing industry terms are the biggest barrier to the broader management team’s understanding of cybersecurity and how they should tackle it.
To create a cyber environment that encourages effective decision-making, security teams must change reporting methods. Creating an easy-to-understand report that clearly illustrates the issues faced by the business, backed up by data, helps produce a clearer understanding from the C-suite. They can then enter the cyber conversation easier and collaborate better with all departments.
Reporting should be delivered with context that outlines the impact on the business to encourage the C-suite and shareholders to incorporate cybersecurity more closely into their wider strategy. In doing so, the business can consider risks more accurately and with a greater degree of understanding, producing more effective decision-making for the long term. The starting point for this would be a thorough understanding of why businesses need to move beyond simply compliance to make their operations safer.
Unlike compliance, cyber safety cannot be achieved through a series of tick-box exercises, but rather a realignment in where cybersecurity operations sit within a business. Transparent reporting, which measures against overall business impact, and encouraging C-suite and security departments to collaborate in their pursuit of true safety will produce an environment realigned to improve resilience. There’s no time to waste.
