Convincing business executives even in the best of times that they need to invest more in cybersecurity has always been challenging. A survey of 722 C-level executives conducted by PwC, however, suggests the times are finally changing.
The survey finds nearly half of respondents (49 percent) said they are increasing investments in cybersecurity and privacy. More than three quarters (79 percent) also said they are revising or enhancing cyber risk management. A full 84 percent also noted they are either monitoring closely or acting on potential regulatory changes, the survey finds.
Budgets remain a small piece of the pie
However, the PwC survey is telling in that fact that despite all the cybersecurity threats faced it can be inferred that 51 percent of responders are most likely either keeping their current cybersecurity investments the same or are looking to outright reduce them.
Naturally, there is always a temptation to reduce cybersecurity budgets during any downturn, but it is clear cybersecurity is now viewed within a larger business context. Historically, it was viewed mainly as a cost of doing business that was funded as part of the overall IT budget. Most IT budgets are about two to three percent of annual revenue, so the percentage of that budget allocated to cybersecurity has been for all intents and purposes relatively negligible as a percentage of revenue.
C-level interest in the risk of cyberattacks growing
The thing that is changing the way business leaders think about cybersecurity is that as organizations invested more in digital business transformation initiatives in the aftermath of the COVID-19 pandemic, an increasing number of business executives began to appreciate the level of risk cyberattacks represent. An increase in ransomware attacks that coincided with that digital business shift added more perspective as it became clear that an entire business could be crippled to the point where it might actually fail. Add in the potential global cyber warfare in the wake of the invasion of Ukraine and it’s never been easier for cybersecurity professionals to get the attention of C-level executives.
The challenge, of course, is a lot of cybersecurity professionals don’t always understand how business executives think. From the very first day of business school, they are trained to evaluate risk versus reward. Nothing ventured is still nothing gained. Business executives may implement some additional measures to reduce risk, but they are almost never going to completely ignore a business opportunity because of cybersecurity concerns.
As such, it’s critical for cybersecurity professionals to remember when engaging with a C-level executive that they typically don’t have the same fear of risk. Every decision for them is a game of probability involving degrees of risk. Most of the time they want cybersecurity teams not to prevent every risk but rather simply narrow the odds in the favor of the business.
Empathetic perspectives can empower cybersecurity teams
Cybersecurity professionals generally enjoy the privilege of being able to decide what type of organization they want to work for given the current chronic shortage of cybersecurity expertise. There’s not much sense in working for an organization that doesn’t take cybersecurity seriously, especially when it will be the cybersecurity team that is blamed when inevitably something goes horribly wrong.
Nevertheless, before giving up, cybersecurity professionals should ask themselves if they are really framing the level of cybersecurity risk the business is taking on in a way a business leader can fully appreciate. Unfortunately, the answer to that question comes in the form of a negative more often than far too many cybersecurity professionals still yet realize. As such, whenever there is a cybersecurity incident there really is plenty of blame to go around so perhaps the better part of valor now might be to start the conversation anew but this time from a much more empathetic perspective.
Photo: Joyseulay / Shutterstock