Since 2017, cyber risks, such as attacks or data theft, have been regularly featured in the top 5 of the World Economic Forum’s annual Global Risk Barometer, a sign of much welcome awareness among the world’s top leaders. In 2020, they disappeared from the ranking, which was established before the Covid-19 pandemic. However, from data leaks to ransomware, the news keeps reminding us that no one is completely safe and that the damage is increasingly heavy. So what has happened? Did companies tackle the problem head-on, to the point where they felt sufficiently protected? Or is there a false sense of security around cybersecurity? If the latter is correct, why and how have CIOs and CISOs failed to maintain their vigilance? It is these questions, among others, that we wanted to answer by launching an EMEA survey on cybersecurity, together with IDC. The study was also carried out before the Covid-19 hit, which makes the results even more valuable.
This dramatic episode has shown us that our resilience is increasingly dependent on digital systems, and therefore on our ability to protect them from the very threats that the crisis is intensifying.
We are publishing the results in a series of three white papers, each focusing on a dimension of the study that we feel is fundamental in exploring these questions fully. The first one concerns risk management and business impact, the second on DevSecOps and operational excellence in security, and the third on the security of digital transformation and the workplace.
In this first part of the series, we address the issue of risk as it is the essential starting point for any responsible and effective approach to cybersecurity. Risk is the prism through which the CISO and the CIO can highlight what’s at stake, go beyond the technical dimension and allow management and business line managers to appropriate it. It is through risk management that collaboration between these players is established, a collaboration that digital transformation makes more essential than ever. And it is risk, finally, which gives an indication of the investment that the company must make to conduct its operations with confidence.
Without revealing all the results, which our experts will be discussing at the end of this document, the figures corroborate the lack of maturity that we all too often see in the field. It is true that cybersecurity is no longer ignored but, despite the rhetoric, it is still not treated as a priority issue at the highest level. Change must come from the top, so that everyone understands that cybersecurity is not the responsibility of only a few professionals, but of everyone, and that it is not just a matter of protecting the information system, but the entire company.
Foreword
When the crisis strikes, it sweeps away all the plans. Of course, back-up and business continuity procedures have been planned to save what can be saved and ensure core business gets done. But the challenge for a company is not to limit the damage, but to remain competitive no matter what happens.
In this context, management has to make bold and quick decisions, show a calm and resolute face, instil unity and confidence, but above all they have to face up to their previous decisions. The crisis tests the solidity of the foundations it has been able to put in place: strategy, culture, values. In an uncertain environment, these points – which must be reaffirmed without ambiguity – enable employees to act wisely, almost instinctively, and to make the right decisions. For this to happen, the stability of the strategic framework must be coupled with a significant level of tactical and operational autonomy. No one can claim to know with certainty how things will play out, and it is the people on the ground who will be best able to sense and react to a changing and unpredictable situation.
During a crisis, people are the true guardians of a company’s resilience and future, and that is why all efforts must be made to enable employees to show their extraordinary capacity to adapt. Above all, we must ensure their safety, their physical and moral integrity, but also provide them with the appropriate framework and tools. Cybersecurity plays a key role in this context. Because in a fragile situation, it gives everyone the reflexes, tools and confidence needed to reinvent the business – without exposing the company any further – and thereby guarantee the company’s future.
Methodology
On behalf of Devoteam, IDC interviewed 601 decision-makers from European and Middle Eastern companies with more than 500 employees. The interviewees were divided into three distinct populations: Business (CEO, CFO, business managers…), IT (CIO and other IT managers) and Security (CISO and other security managers).
Company size (number of employees)
