8 Ways You Could Be Inviting a Cybersecurity Attack

November 22, 2021

Contributor: Susan Moore

Cultural and systemic issues may be leaving your organization vulnerable.

Many business leaders still believe cybersecurity is a problem that can be solved if they invest enough money and hire the right people with the right technical knowledge who will keep them out of the headlines.

In fact, it’s often systemic and cultural issues between IT and non-IT executives, not technical competency or funding, that leave organizations exposed to cybersecurity attacks. 

Download now: 3 Must-Haves in Your Cybersecurity Incident Response Plan

“These issues present opportunities for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritize security,” says Paul Proctor, Distinguished VP Analyst at Gartner.

You can reduce the risk of cyberattacks by addressing these leading causes of failure within your organization.

Gartner has identified 8 causes of cybersecurity failure that coud leave organizations exposed to attacks.

1. Invisible systemic risk

Businesses make decisions every day that negatively impact their security readiness: for example, refusing to shut down a server for proper patching or choosing to keep working on old hardware and software to save budget. These unreported decisions lead to a false sense of security and increase the likelihood and severity of an incident.

Security eBook: 2022 Leadership Vision

Action: Recognize, report and discuss systemic risk as part of normal security governance.

2. Cultural disconnect

Non-IT executives still see security as something that is “just there,” like air or water. This means it isn’t considered a part of business decisions. For example, a business leader requesting a new application is unlikely to include “security readiness” as a requirement.

Action: Put cybersecurity into a business context so executives can see the impact of their decisions.

Guide: Everything You Need to Know About Cybersecurity

3. Throwing money at the problem

You can’t buy your way out — no matter what you spend, you won’t be perfectly protected against cyberattacks. By trying to stop every risky activity, you will likely damage your organization’s ability to function. 

Action: Avoid overinvestment in security that raises operational costs but damages the organization’s ability to achieve business outcomes.

4. Security as “defender”

If security officers are treated as (and act as) defenders of the organization, it creates a culture of no. For example, they might block the release of a critical application due to security concerns without considering the business outcomes the application supports.

Action: Position security as the function that balances the need to protect with the need to run the business.

5. Broken accountability

Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage. 

Action: Reward those who make decisions that best balance the need to protect with the need to run the business.

6. Poorly formed risk appetite statements

Organizations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low-risk activities, as this can create invisible systemic risk.

Action: Create mechanisms that allow for the acceptance of risk within defined parameters.

7. Unrealistic social expectations

When a headline-grabbing security incident happens, society just wants heads to roll. While this isn’t fair, it’s the result of decades of treating security as a black box. No one understands how it really works and as a result, when an incident does occur, the assumption is that someone must have made a mistake. 

However, society is not going to change until organizations and IT departments start treating and talking about security differently.

Action: Be vocal about balancing the need to protect with the need to run the business rather than scapegoating.

8. Lack of transparency

Some boards and senior executives simply do not want to hear or acknowledge that security isn’t perfect. Board presentations are filled with good news about the progress that has been made in security, with little or no discussion about gaps and opportunities for improvement. We know of one company that even decided to move security under legal counsel so that discussions are privileged.

Action: To tackle the challenges, IT and non-IT executives must be willing to understand and talk about the realities and limitations of how security works.


Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.