Traditional approaches to cybersecurity are no longer working and organisations that fail to update their strategies run the risk of significant financial and reputational damage.  This was the major insight from the inaugural IT Leaders' Roundtable events[1] hosted by Protiviti and Robert Half Technology, which were attended by chief information security officers (CISOs) from a range of private and public sector organisations.

The main challenge lies in communication between CISOs/IT and the board, reported attendees.  While boards of directors are aware of the risks associated with cyber crime, partly because of recent high profile attacks in the news and partly because of guidance from GCHQ and other government bodies, they tend to view expenditure on measures to tackle cyber crime as overheads, rather than risk mitigation.

A separate survey[2] found that nearly three-quarters (72%) of CIOs/CTOs indicate that cybersecurity is being prioritized by senior management, but that this number drops to 55% for small and medium-sized enterprises (SMEs). The primary reasons why the lack of prioritisation include lack of perceived imminent threat (39%), cost considerations (21%) and the belief that company information is not of external value (17%).

CIOs/CTOs were asked, ‘What is the primary reason why cybersecurity is not being prioritised by senior management?' Their responses:

Lack of perceived imminent threat   
39%

Cost considerations   
21%

Belief company information is not of external value   
17%

Not a regulated organisation   
10%

Lack of understanding   
10%

Other business initiatives of greater importance   
3%

Jonathan Wyatt, managing director of Protiviti UK, said: "Our annual survey of the top business risks for UK executives shows that cybersecurity is among the top concerns for 2014, alongside regulatory change, economic conditions and political uncertainty.  More boards recognise that cyber threats have the potential to disrupt core operations, bringing what was previously a low level IT concern to the senior decision making table."

Attendees also reported that their boards were experiencing fear, uncertainty and doubt (FUD) fatigue and tended to believe that they could get away with current protection against cyber attacks - despite the fact that the world has changed significantly because of social media, mobile and cloud technology.

Ryan Rubin, managing director and leader of Protiviti's UK Security and Privacy practice, commented: "Traditional approaches need to change to reverse the trends and help mitigate risk.  The average cost of a data breach is $250 per record - and there are mounting expectations that a company will do something for customers whose information have been compromised.  As well as reputational damage, companies can face costs that escalate very quickly."

Charlie Grubb, Associate Director, Robert Half Technology added: "When we asked about the quality of information exchange around cybersecurity between IT and the board, organisations reported that this was mostly limited and reactive, rather than ongoing.  The delegates' experiences suggest that IT security professionals need to develop skills beyond their technological knowledge - the most successful will be those who are able to explain the impact of cybersecurity risks to the board in language that they understand."

Looking at the most senior roles in IT teams, Chief Information Security Officers (CISOs) experienced the highest annual salary percent increase at 3.5%, according to the The Robert Half 2014 Salary Guide for Technology Professionals[3], reflecting the importance of information security in today's organisations and the growing shortage of experienced senior candidates.