A surge in the general cyber threat level combined with several critical cyber attacks on major Danish businesses have finally put cyber security on the leadership and boardroom agenda of Danish ER&I businesses. But commitment has been mixed.
Top management at Danish ER&I businesses are clearly discussing cyber security. But although the survey reveals positive tendencies, there is still ample room for improvement.
What does the survey show?
According to 30% of the businesses surveyed, cyber security is on the leadership agenda weekly or monthly. 34% discuss cyber security in the boardroom on a quarterly basis, 8% on bi-annual basis, while 27% indicate that cyber security has the leadership's attention once a year or less frequently.
Q: How often is cyber security on the top leadership’s agenda?
On a positive note, the survey shows that cyber security is taken seriously in some boardrooms and by some top management teams within the sectors. The increased threat level and the potential ramifications of a successful attack have forced cyber security onto the agenda.
But the fact that 27% of the respondents indicated that cyber security is not on the management agenda more than once a year or even less frequently poses a significant threat to those businesses. It is critical that IT managers and CISOs inform the leadership regularly. If not, it can be difficult for top management to make informed decisions on budget, risk and security level. Top management must thus take time to get directly involved in strategic cyber initiatives.
The consensus is that the cyber threat is surging. Therefore, every leadership team in each of the sectors should have cyber security at the top of their agenda. It is vital to meet regularly with expert-level employees to assess and discuss the cyber threat. The surge in cyber attacks during Covid-19 is a good example why.
After all, it is the responsibility of management to ensure the creation of an effective strategy for when worst-case scenarios occur. The survey, however, seems to indicate that top-level discussions on cyber threats are not as frequent as recommended.
The bigger picture
Top management must be frequently briefed on the commercial implications of potential attacks. Such briefings should occur at least every quarter but preferably more frequently. A good occasion for a cyber security briefing could be during the preparation of major strategic changes in the organisation or as a consequence of sudden changes in the threat level.