Security leaders report pressure from boards to downplay cyber risks

Boardroom with frustrated people with their heads in their hands
(Image credit: Getty Images)

Cyber security leaders have reported that they feel pressure from their board to downplay the severity of cyber risks facing their organization.

A new report from Trend Micro highlights a growing ‘credibility gap’ between CISOs and boardrooms that means security leaders are finding it hard to convince boards to free up funds to improve the business’ cyber resilience.

Sapio Research, commissioned by Trend Micro, spoke to 2600 IT leaders across LATAM, North America, Europe and the Middle East, about common frustrations and pain points they are experiencing.

Concerningly, 79% of the respondents said they have felt pressure from the boardroom to understate or play down the severity of the threat facing the business from cyber attacks.

When asked why they thought this was, 43% said it is because they are seen as being ‘repetitive’ or ‘nagging’ when they raise security concerns, and 42% said it was because the board views CISOs as overly negative.

Furthermore, a third of senior security personnel reported they had been dismissed out of hand by the board when trying to update them on potential cyber risks.

This attitude is not just limited to the board, however, and Trend Micro also found that only half (54%) of respondents believe their C-suite completely understands the cyber risks facing the organization.

Part of the problem, according to 34% of respondents, is that senior decision makers at their organization still consider cyber security as part of IT risk, and fail to appreciate the risks a cyber attack can pose to the entire business.

The vast majority of respondents also felt that these attitudes will only shift when board members observe the damage a significant security incident can cause first hand, with 80% stating they believe only a serious breach would force boards to act more firmly on cyber risk.

Simon Bain, CEO at data analytics firm OmniIndex, told  ITPro that without a clear understanding of how their investment will provide business value and bring returns, boards can be stubborn around shifting their behaviors.

“Until an attack happens, it is easy to believe it never will. As such, board members are often reluctant to invest in preventative measures as they do not see an immediate return on investment,” he said.

“What’s more, most companies will have invested in their cyber security ‘at some stage’ and are therefore pained to continue investing – even if their experts are telling them that their defense is out of date and vulnerable.”

Bridging the credibility gap - putting cyber risk in the right context

Trend Micro’s research suggested that CISOs may be able to address waning interest from boards by expressing their security concerns in terms of the business value that cyber resilience can deliver.

For example, 46% of security leaders said when they’ve been able to measure the business value of their cyber security strategy, they’ve been viewed with more credibility.

In addition, 45% said they were given more responsibility, 44% said they were seen as a more valued function of the business, and 41% reported they were brought into senior decision making as a result.

Speaking to ITPro, Martin Tyley, global lead for Cyber Risk Insights at KPMG UK argued that rather than pressure from the boards, the real problem holding back investment in cyber resilience is down to security leaders failing to put cyber risk in the context of wider risks to the business.


"It's not that CISOs always feel pressure from the Board to downplay the severity of the cyber risks facing their organization; rather, how they are measuring it may not necessarily provide an accurate representation of the risk level and where additional cyber security investment is needed”, he noted.

“Cyber risks don’t always have an immediate, obvious impact, meaning the effects are not felt straight away. For example, data loss or leakage is a long-term issue, as opposed to a ransomware attack. This can make it difficult to communicate to the Board the potential severity of a cyber-related problem.”

Tyley outlined where he thinks security leaders are going wrong with how they measure and convey cyber risk to non technical audiences.

“When measuring cyber risk, CISOs typically rely on a basic security risk assessment matrix that considers two factors: how likely is it that the risk will be realized, and how damaging would the risk be to the organization? The result is a figure that quantifies the organization’s security risk”, he explained.

“However, this is an immature and subjective approach that can massively underestimate the true risk level. If CISOs then simultaneously downplay the organization's cyber risk, they will not be able to justify the level of investment required to boost their organization's cyber resilience. This puts the organization in increased danger of a cyberattack, with severe ramifications.”

Matt Middleton-Leal, managing director EMEA at Qualys, told ITPro this is where many CISOs fail in their attempts to convey cyber risks to board members, relying on technical jargon and statistics to convince nontechnical board members.

“Many CISOs fall down around this because they discuss IT risks in an IT context, rather than a specific business context. If you are solely sharing technical information or threat data, then you aren’t sharing the kind of information that the board will value, and you are not providing guidance on what decisions to make around the business.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.