by Lewis Duke, SecOps Risk & Threat Intelligence Lead, Trend Micro
Nearly all (99%) of IT security leaders in the global retail sector are fully or somewhat confident in the cyber-resilience of their organisation, according to a new study from Trend Micro. Is this confidence well placed? We don’t need to look far to think not. Over 3,000 breaches were reported to UK data protection regulator the ICO in 2023, with retail (18%) accounting for the second-highest number.
So, what’s going on? Our research indicates that CISOs aren’t getting their message across to the board convincingly enough. Many are dismissed out of hand—resulting in under-investment and erratic policymaking.
Head in the sand
Retailers have been a popular target for threat actors for some time. The large volumes of personal and financial information they process on customers make them a lucrative source of monetisable data. The explosion of e-commerce and the roll-out of EMV chip technology has forced data theft from in-store POS systems to back-end IT systems. An added risk for today’s retailers is the prospect of a ransomware-based data breach, which could lead to prolonged service outages, as experienced by Carpetright recently.
On the face of it, these challenges are well understood in the industry. Most (54%) of IT security leaders told us they rank cyber as their biggest business risk, and more are investing in this area than any other to mitigate risks like operational disruption and financial and reputational loss.Yet on the other hand, many retail boards have an outdated view of the role cyber should play in their organisation. It is still treated as part of IT risk by 38% of responding organisations, and 41% believe their leadership doesn’t consider cybersecurity to be their responsibility at all. The result can be inconsistent board-level attitudes to cyber, which in turn can lead to piecemeal and reactive spending rather than long-term strategic planning. Over two-fifths (44%) of respondents told us that only a breach would incentivise the C-Suite to act more firmly on cyber risks.
Winning the board’s trust
This kind of aversion to dealing with cyber as a legitimate business risk is partly the result of poor board-CISO communication. In fact, a quarter (23%) of CISOs say they feel pressured to downplay the severity of cyber risks to the board all the time, while 66% do at least some of the time. A third claim to have been dismissed outright by the board.
The key to winning back trust in this area is to communicate with the board using metrics and language that articulate cyber risk in business terms. The rewards are clear to see. Those who’ve been able to measure the business value of cyber report that they’ve been treated with more credibility (50%), seen as a more valued function (51%), and given more budget (42%). On these foundations, a more mature approach to cyber-risk management can be built.
The great news is that 93% of retail IT leaders say they already have metrics in place to put such a plan in action. The key will be ensuring they are consulting from a single source of truth. That in turn may mean having to consolidate their many point solutions onto a single platform for managing risk and measuring security posture across the attack surface. It’s time to get back on the front foot.