An increase in the overall cyber threat level combined with several critical cyber-attacks on major, international consumer businesses has elevated cybersecurity to the leadership and boardroom agenda.
Our survey shows that cybersecurity is frequently being discussed by top management in the Danish consumer businesses participating in the survey. However, the survey also reveals that there is still room for improvement in many organisations.
What does the survey show?
According to 37% of the Danish consumer businesses surveyed, cybersecurity is on the leadership agenda weekly or monthly. 28% discuss cybersecurity in the boardroom on a quarterly basis, while 35% indicate that cybersecurity has the leadership’s attention twice a year or less frequently.
Cybersecurity poses a significant risk to today’s businesses. Therefore, it is positive to see that cybersecurity is being prioritised and discussed by the leadership of Danish consumer businesses. What catalyses this increased prioritisation could be a growing cyber concern besides the obvious and well-known negative commercial impact of a cyber-attack. The growing concern might be a result of the high-profile incidents Danish and international consumer businesses have experienced during the last couple of years.
The question, however, is whether the prioritisation and boardroom discussions equal increased execution of necessary and critical cyber efforts. In Deloitte’s experience, this shift from discussion to action still needs to mature.
The fact that 35% of the respondents indicate that cybersecurity is not on the leadership’s agenda more than once or twice a year poses a significant threat to those businesses. Without having frequent discussions with IT managers and CISOs, it can be difficult for the top management to make informed decisions about efforts such as the cyber budget, risk appetite and the overall security level. It is critical that the leadership is informed regularly, but also that it is directly involved in the strategic cyber initiatives. The sudden surge in cyber-attacks during COVID-19 is a good example of why it is necessary to meet and discuss the cyber threat assessment regularly.
The broader picture
Briefing the top management
An organisation’s top management needs to be frequently briefed on the threats faced by the organisation as well as the commercial risks posed by those threats. Such briefing should occur at least every quarter and preferably more frequently when the organisation so requires. This could, for instance, take place during the performance of major strategic changes in the organisation or as a result of a sudden change in the threat-assessment.