Four major cybersecurity trust gaps across organizations and how to fix them

The world is going digital; virtually every type of cross-border business transaction now has a digital component. Companies’ use of digital technologies opens them up to new relationships with customers and business partners and new business opportunities.

But, as recent headlines have made clear, the very act of connecting to the outside world increases organizations’ risks exponentially – of project failure, data breach, or worse.

In this era of global digital flows, companies must take all possible steps to build robust cybersecurity capabilities. Protection strategies cannot be focused solely on technological controls and remediation plans.

Companies must invoke the human element as well. They must seek to build digitally-resilient cultures in which cybersecurity is not an occasional concern but an everyday task for core business stakeholders at all levels, both inside and outside the organization.

But cybersecurity trust gaps exist on many levels across the corporate ecosystem. Here are four major gaps and how to address them:

The dynamic between board directors and the senior management team can be fraught for any number of reasons, but first on the list is that cybersecurity is usually not a top item on many board-meeting agendas. It is often presented as part of a larger discussion around IT issues, if at all mentioned.

Many board directors tend to be less informed about cybersecurity technologies and issues than they may be about standard financial and operational matters – apart from what they read about the latest corporate or government security breach. They come to the table with questions about the company’s cybersecurity programmes.

Members of the C-suite need to create more transparency and forge stronger communication with board directors. Senior leaders should formally assess the maturity of their cybersecurity programmes regularly and present their findings to the board at least annually but preferably even more frequently.

This exercise should involve a structured consideration by members of the senior leadership team and others in IT and the business units of the severity and likelihood of attacks on major corporate assets. For instance, which internal and external threats are the biggest, and what is the business value at stake?

Trust-based relationships among individuals in the business units, the IT organization and the cybersecurity function can be challenging to maintain – partly because these groups sometimes work at cross purposes.

The cybersecurity team may impose certain safety protocols that are inconvenient for employees in the business units, or otherwise impede their daily operations. Such exasperation can escalate from the individual level to the business-unit level.

The organisation can provide comprehensive cybersecurity training to staff at all levels to help close the trust gap between the IT and cybersecurity function and the business.

This might include dedicated town hall meetings, workshops, and training modules focused on identifying varying types of cyber threats and outlining appropriate responses when employees witness suspicious activity. Such training can help business-unit employees understand the rationale for cybersecurity protocols and raise their awareness.

After all, Cybersecurity is a shared responsibility.

The relationship between companies and their technology and supply-chain vendors has always been complex. Just as consumers rely on companies to keep their data safe and use them only in ways they have authorized, businesses must trust their IT and supply-chain vendors to hold competitive information close to the vest.

Automakers, for instance, would need to be confident that their original equipment manufacturers (OEMs) have enough cybersecurity controls to protect the intellectual property they share. This is especially true in an era in which more and more companies are outsourcing the management of their IT infrastructures or their cybersecurity operations.

To bridge this trust gap, company IT and business leaders should schedule regular conversations with vendors and supply-chain partners to assert the levels of security required to protect shared business information.

Such meetings should occur quarterly or biannually; with frequent contact, vendors and company officials can engage in a true business partnership rather than a simple transactional relationship. They can discuss and devise clear recovery and compensation plans.

It’s no surprise that local, national and federal governments have in recent years prompted private-sector organizations to become more aware of cybersecurity issues and more active in their data-protection efforts.

Cyberattacks in major financial institutions can affect overall market stability. Energy-grid hacks can pose national threats, too, as we learned from the recent attempted break-ins at a dozen power plants in the United States.

Government agencies need companies to report cyberattacks and other incidents in a timely fashion to strengthen overarching protection efforts.

Neither side can afford to battle cyber attacks on its own. Companies need the official approval and gravitas that government agencies can provide as facilitators of cybersecurity investigations and discussions of sensitive information. Governments need the feedback and technical resources that private-sector organizations can provide.

Technology alone cannot hold cyber attackers at bay. A culture of trust is also important for corporate cybersecurity initiatives to succeed. All stakeholders in a company’s ecosystem – board directors, IT leaders, businesspeople, vendors and so on – must come to a mutual understanding of the company's risks and work together to decide on the best approach for addressing those risks.

As we’ve learned, attaining and preserving this level of agreement and trust can be difficult, particularly because of the natural tensions built into data-protection efforts: the cybersecurity team’s day-to-day work has consequences for the business and vice versa.

But if companies recognize the human aspect in cybersecurity and take steps to close trust gaps by introducing more transparency, they can increase the odds that their cybersecurity programmes will be successful – not just in the near term, but over the long haul, regardless of the kinds of threats that may emerge.