Despite the current ‘buzz’ cliché phrase that ‘security is top of mind’ with business leadership, a new report from the World Economic Forum (WEF) highlights the continuing gap between business and security leaders.
The report, WEF’s Global Cybersecurity Outlook 2022, was described to SecurityWeek as “the launch of our flagship report that we are planning to publish every January,” but it is somewhat disappointing given WEF’s resources.
The report was compiled from a combination of four sources: first “a survey of global cyber leaders; second, Cyber Outlook Series sessions conducted by the World Economic Forum throughout 2021; third, multiple interviews with experts and bilateral meetings; fourth, data collected from reports, research and articles published by the World Economic Forum and reputable third parties.” In total, it adds, the WEF team “has consulted with 120 global cyber leaders over the past year.” That is a very small number of respondents on which to base a major analysis.
If you ask a small pool what concerns them, they will learn very little when you repeat back to them what concerns them. Thus, no cybersecurity professional will be surprised or informed by WEF findings such as “As many as 80% of cyber leaders stressed that ransomware is a dangerous and evolving threat to public safety. The survey confirmed that ransomware attacks are at the forefront of cyber leaders’ minds, with 50% of respondents indicating that ransomware is one of their greatest concerns when it comes to cyber threats.”
There is, frankly, little of value in being told that the three threats that most concern global cybersecurity leaders are ransomware, social engineering and malicious insider activity (the last of which will potentially increase as a result of the current so-called Great Resignation, although this isn’t mentioned).
A further weakness in the report is that it doesn’t specify the questions that were asked within the survey. Surveys are notoriously difficult. There are multiple areas of potential subjectivity in both the questions asked and the answers given – making an objective analysis of responses very difficult. If the questions are listed, the reader can apply his or her own view on the likely accuracy of the results.
However, such criticism of the report does not mean that it has no value, and that nothing can be learned from it. The report highlights, for example, the cybersecurity perception gap that still exists between security leaders and business leaders. Although we are frequently told that security is ‘top of mind’ with the board, this is a view not necessarily shared by the security pros.
For example, 100% of business leaders agree with the statement, “Cyber resilience in my organization is integrated into enterprise risk management” – but less than three-quarters of the security leaders agree. Elsewhere, 92% of business leaders believe that security is prioritized in business decisions, while only 55% of security leaders agree. Forty-one percent of business executives believe that cyber resilience is an established business priority, but only 13% of security-focused executives agree.
Other cybersecurity ‘perception gaps’ noted in the report include the common belief among security leaders that they are not consulted in business decisions, leading to less secure decisions and more security issues; and a low appreciation among business leaders of the dire effect of staff shortages within security.
The report suggests that these perception gaps can be bridged through, among other things, ‘gaining leadership support’ with security leadership ensuring “regular communication between cyber and business operations teams.” There is no parallel recommendation that business leaders should better communicate with security teams.
The need for better communication is a priority understood by most security leaders (see the SecurityWeek CISO Conversations series); but effective communication is by definition a two-way process (otherwise it is just one-way reporting). The security perception gap most likely exists because communication between security and business is, for the most part, unidirectional.
It is tempting to conclude that levels of cybersecurity and cyber resilience could be improved by business leadership not simply listening to (and often ignoring) the security leadership, but actually including the security leader in business plans and processes with an open mind. The relationship between security and business is not simply the responsibility of the security team.
The strength of the WEF report is that it highlights this issue, and in doing so indicates a possible area for future research and reporting: how do we get business leaders to better include security leaders in business decisions?
In the foreword to the report, Jeremy Jurgens, managing director at WEF, writes, “Building cyber resilience is a core focus of the World Economic Forum Centre for Cybersecurity. We bridge the gap between cybersecurity experts and decision-makers at the highest levels to reinforce the vital importance of cybersecurity as a key strategic priority.”
The weakness in the report is that it seems to throw the onus onto security leadership without adequately educating business leadership in their responsibility to the process. Security professionals understand the need to communicate with business leaders – but do business leaders understand the need to communicate with the security team?