Why cyber security leadership must start in the boardroom

Culture & performance


cyber security leadership






Regardless of how you look at it, 2017 was a pretty terrible year for cybersecurity.  We are now continually reminded by media headlines that attacks are up, breaches are far-reaching, and the bad actors responsible are more sophisticated than ever. Security breaches are now so common they are beginning to fade into the background of the news cycle. But it shouldn’t be like this.


When it comes to security many organisations are falling short of the mark by failing to take basic steps to mitigate risk. More worryingly, data breaches often go unreported – leaving millions of customers completely unaware that their personal data is exposed.  


Last year there was a recognisable shift in who the public holds responsible for breaches. Faceless hackers are no longer a legitimate scapegoat for companies whose security is not up to standard. When breaches go public reputational damage, loss of shareholder value, and a decline in customer confidence can have a far more draconian impact that a fine ever could.


Technical solutions to modern sophisticated attacks are increasingly available. However, many of these tools remain unused by businesses. To bring about change, there needs to be a fundamental change in the way organisations approach cyber security leadership. It can no longer be viewed as a mere box ticking exercise. The onus should be on business owners to fully understand the risks they are creating for customers and take steps to mitigate them.


A stream of failures


Gizmodo put together a list of 2017’s ‘Great Data Breach Disasters’ which reviewed the slip-ups that wreaked havoc at affected companies and organisations. Failures at the leadership included negligence in risk management and poor handling of incidents after they occurred. These lapses ranged from the merely embarrassing to the downright infuriating.


In one ironic case, a cybersecurity consulting firm failed to implement basic protections on its network and took several months to discover that email chains with some of their most important clients were accessible. An even more egregious example was that of the financial firm who failed to notify millions of customers that their data had been compromised and subsequently attempted to mislead them once the breach went public.


While results from scientific studies don’t have the same impact as real-world breaches, they highlight areas of concern. According to the Identity Theft Resource Center (ITRC), the total number of breaches rose 40 percent in 2016, and midyear report by the same firm predicted another 37 percent jump by the end of 2017. Another study carried out by Ponemon revealed that 56 percent of companies experienced a breach due to third-party error last year, marking a 7 percent increase from 2016.


It seems likely that we will see more breaches attributed to third-party error over the coming years. Under the new GDPR regulations, companies will be held responsible for the way their data is used by third-party partners. Business owners need to begin dedicating much more attention to tracing where their company data goes and how it is being used.


Proactive security leadership


So what can we learn from the ‘great data breach disasters’ of 2017? Well, one thing is clear – the stream of failures points to a broken mindset and a haphazard approach to cybersecurity at the executive level in many companies. When those at the top fail to be proactive about security, this attitude inevitably permeates down through the rest of the organisation. In such cases, it’s really only a matter of time before a breach occurs. In order to bring about real and lasting change, it has to start at the top.


There is now a real need for security leaders to help executives understand the risk their organisation is facing from both a security standpoint and a business perspective. While security needs to be enhanced, the process of doing so must fit into existing business models in a cost effective way. For their part, top leadership must begin to actively engage with cyber security initiatives and budget accordingly.


Security is not something that can be ignored ad infinitum. Executives that choose to bury their head in the sand now will pay for it dearly in the future. But while attackers are out there, so are effective policies, tools, and resources to help businesses protect their most sensitive data. Executives need to take stock of the dangers they are facing and tackle them head on.



Discover why we’re different than other IT recruitment agencies.

Browse our latest Security jobs