C-Suites Need to Stop Taking Unnecessary Risks

The Corporate Culture of Risk Taking Can Lead to Real-World Disruption

Some risk-taking is foolish. Much of the sub-prime bank lending that led to the credit crunch, and ultimately to the global financial crisis, was to people who very obviously could never afford the loans. And yet the banks were almost all doing it.

More recently, nobody foresaw the lockdown and the fact that simple acts like going to school, work, meeting friends, or going to the beach could ever be a threat to your life and to those around you. But now that we understand the context, it is obvious.

Both the global financial crisis in 2008 and the current pandemic have been extremely disruptive events with consequences could have been avoided, or at least mitigated, if we had had a greater risk appreciation or listened to the credit risk managers and health experts sooner.

Does Corporate Culture Have a Lack of Risk Appreciation?

The way that we account for risk is also often illogical and unpredictable. We have seen a massive switch to home working, which has opened a new attack vector for opportunist cyber criminals. You would expect organizations to be focusing on the security of their cloud applications. All too often, however, there is an assumption that the cloud provider deals with security, when in reality misconfigured cloud instances are one of the most common sources of data breaches.

While you’d never leave your cloud or your laptop without any password or protection at all, organizations frequently delegate the procurement of IoT devices and simple items like USB memory keys to their Procurement department. This department inevitably acquires the cheapest devices available, rather than paying a little more for extras like encryption. Ask yourself, was the USB memory stick that you last used encrypted and password protected? If the answer is “no,” then you need to conduct an urgent cyber risk audit.

The failure to account for risk is not only cultural—from the selfie taker to the procurement manager, we don’t always appreciate risk—but it is also a result of the way that organizations operate.

Three Key Points Should Always Be Considered

It is hoped that the recent times will make us all far more risk aware. C-Suites need to change the way they incentivize and manage their teams, and ensure that their perspective includes all three key points: revenue, profit, AND risk. Procurement managers need to appreciate risk and understand how buying decisions that range from relatively low-cost devices (encrypted drives don’t cost a lot more) to larger complex systems need to be taken with cybersecurity in mind.

With a risk-aware culture, paying a small cyber-risk premium for everything from secure, encrypted devices to complex multi-cloud systems becomes a sensible investment, and CISOs know they can raise the alarm without being ignored.

Cultural Change Needed to Make a Difference

As a society, we have never been as interconnected or as reliant on technology as we are now, and therefore never as vulnerable—especially with the threat landscape evolving and growing continually.

Leadership is required to change the way the management team and all those below them behave, and this kind of cultural shift towards greater risk appreciation needs to come from the very top. A culture of digital ethics (including data privacy and security) needs to permeate all levels—from top to bottom. Organizations that adopt this culture of digital ethics, and that are risk aware, are not only less likely to experience a data breach but will also be better able to respond should one occur.