Cyber security has risen as a key issue on the radar of virtually all organisations. As a recent AT Kearney report suggests, cyber-attacks have been topping executives’ lists of business risks for three straight years. In fact, the overwhelming majority of organisations have experienced some form of cyber-attack at some point over the past few years.
This concern is also driven by security and privacy becoming increasingly valued by customers and the media, and by regulators who are now stepping into the topic with the ability to impose business-threatening fines (GDPR in Europe, California Consumer Privacy Act of 2018). In parallel, the cyber risk landscape is ever-complexifying – with new technologies such as AI bringing at least as many new threats as they bring opportunities to improve cyber security.
In this new age of “when-not-if” around cyber-attacks, it is worrying to see so many large organisations still struggling with the delivery of cyber security initiatives. Maturity levels on the topic have remained dangerously low, and in fact, the same AT Kearney study found that more than 60% of surveyed firms had not yet fully developed and implemented cyber defence strategy. Their findings echo those of many firms and research bodies year after year and the situation appears rooted in decades of short-sighted adverse prioritization of cyber security issues. It has also engineered a talent alienation dynamics which only reinforces the problem.