“The psychological need to be perceived as competent and avoid embarrassment is universal, but when it blocks achievement of higher cyber resilience, it can’t be allowed to drive organizational behavior.”
Although most organizations are prepared to commit significant resources to protecting their intellectual property and their customers’ personal information, we occasionally encounter an outlier. A resistant attitude surfaces well into the conversation as we discuss what steps can be taken to mitigate cyber risk.
Since the middle of last year, we’ve spent significant time talking with about cyber risk with people at all levels. We rarely hear an occasional senior executive deny that their company is at risk. We rarely have to educate our audience about the danger of cyber breaches, since daily headlines continually announce the latest hacking incidents. What is troubling, however, is the lack of attention to cyber risk mitigation still found in many organizations.
The statistics below were extracted from an infographic in an article outlining good first steps toward cyber risk mitigation. In describing why companies should pay attention, its author Pete Metzger, vice chairman of DHR International, reports that, “Despite a 64 percent increase in Internet security breaches last year, only 25 percent of U.S. organizations are prepared to defend against a cyber attack. If you think that is chilling, consider that only 37 percent of boards have a cyber threat response plan in place and 58 percent are not actively preparing for a potential breach.” These statistics confirm that a widespread lack of preparedness still exists.
The resistant attitude mentioned earlier is rarely seen, but it’s unmistakable when it surfaces. The affected individual cringes when they learn that the result of using our platform will be an organization-wide picture of true cyber resilience. The effects are positive: enabling efficient assessment and monitoring provides an accurate picture of cyber resilience, guides clients to the highest priority next steps based on knowledgeable guidance from industry experts, and enables collaboration between affected stakeholders.
But monitoring 400 control points also means there’s “nowhere to run, no place to hide.” Transparency is positive for most, but for some, the thought of everyone seeing clearly what cyber defensive measures are and are not in place makes them feel vulnerable. They may even resist a detailed evaluation.
Every stakeholder must understand that sticking their head in the sand until this blows over is not an option – it’s not going away for the foreseeable future. They also can’t push this off as simply an IT problem. Organizations must develop a culture where “cyber risk belongs to all of us,” and widespread acceptance that “we’re all in this together.” While the psychological need to be perceived as competent and avoid embarrassment is universal and understandable, it can’t be allowed to drive organizational behavior that prevents achievement of higher cyber resilience.