Cyber security not a UK boardroom priority

New research from consulting firm KPMG claims that cyber security and data protection are only ranked third as priorities in UK boardrooms, following people skills and plant/machinery spending.

CEOs and CISOs must share blame for data breaches
CEOs and CISOs must share blame for data breaches

The annual `Business Instincts Survey' took in responses from 498 C-level executives in UK organisations, and found that under-investment in security technology has left many firms acknowledging the need to increase their spend on IT security.

Despite this, 36 percent of respondents said their top priority remains people skills, followed by 19 percent reporting that plant/machinery was their secondary concern, with cyber security trailing in third position on boardroom agendas.

Martin Tyley, a partner in KPMG's cyber security practice, said that, whilst we hear every day about new cyber-attacks and incidents, the knock-on effect is that boardrooms become wary of scare-mongering.

"I see a real risk of boardrooms doubting the severity of the issue and the extent of their vulnerability. Instead, by better understanding the cyber threat landscape and ensuring cyber security is weaved into everything else that is done, it's much easier to positively manage the risk rather than reacting when things go wrong," he explained.

Delving into the research reveals that board professionals are concerned about how social media is used to liaise with customers, but they remain unsure how to maximise the opportunities secure technology can offer - collectively ranking ‘the need to get the best from IT investment' as a most important technology-driven priority.

Tyley said the changing nature and rising number of cyber-attacks makes IT security a very real and present danger.

"The right approach is to remain aware of the changing cyber and technological threats facing business, training staff as they are on the front-line when it comes to security and making sure that responsibility is understood to be a firm-wide issue," he observed.

Commenting on the research findings, Adrian Davis, EMEA managing director with not-for-profit security association (ISC)², said the fact that cyber security and data protection rank (albeit third) on the boardroom agenda is in itself a commendable improvement.

"If you look back just two to three years, there wasn't much discussion on the issue. Of course, we still have a way to go, but there is recognition of the business-crippling effects of cyber-crime. Businesses and the information security profession together need to actively drive a better understanding of the cyber risks and how they can be curtailed, ideally pre-empted," he said.

“Perhaps the result of an inadequate understanding of what cyber security entails, technology on its own will not solve the problem – alongside it, processes and people play an equally critical role. The security threat landscape is continuously altering and without the right professional skills to grasp the situation, devising an effective solution is not possible,” he added.

“The recent breaches of the last month have taught us that we constantly need to be on our toes, and even a step ahead. The security challenge will continue to grow unless we factor in cyber risks and security measures into every single business-critical initiative from the start," he noted.

Davis went on to say that we - as an industry - are reaching the stage in the evolution of cyber security where, as part of the larger ‘investment in people' programmes, cyber awareness and training must be part of it - not just for information security professionals via certification such as the CISSP, but also for employees broadly.

Davis' comments were echoed by Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, who said that many boards - in his experience - only pay lip service to cyber security, meaning that, whilst they appear to be taking the issue seriously, they are not prepared to invest in the required technology to defend their systems.

"The problem is that the security managers cannot get the main board buy-in they need to invest in the required technology. What I am also seeing is that the newer generation of security professionals are too bound up in governance and check-box issues, rather that taking on board the big security picture," he explained.