C-Suites need to stop taking unnecessary risks

The Corporate Culture of Risk Taking Can Lead to Real World Disruption

Some risk taking is foolish. Much of the sub-prime bank lending that led to the credit crunch, and ultimately to the global financial crisis was to people who very obviously could never afford the loans. And yet the banks were almost all doing it.

While more recently, nobody foresaw the lockdown and the fact that simple acts like going to school, work, meeting friends or going to the beach could ever be a threat to your life and to those around you. But now that we understand the context, it is obvious.

Both the global financial crisis in 2008 and the current pandemic have been extremely disruptive events, for which its consequences could have been avoided, or at least mitigated if we had had a greater risk appreciation or listened to the credit risk managers and health experts sooner.

Does Corporate Culture have a lack of risk appreciation?

The way that we account for risk is also often illogical and unpredictable. We have seen a massive switch to home working which has opened a new attack vector for opportunist cyber criminals. You would expect organisations to be focusing on the security of their cloud applications, but all too often there is an assumption that the cloud provider deals with security, when in reality misconfigured cloud instances are one of the most common sources of data breaches.

While you’d never leave your cloud or your laptop without any password or protection at all, organisations frequently delegate procurement of IoT devices and simple items like USB memory keys to their procurement department. Inevitably they then acquire the cheapest devices available, rather than paying a little more for extras like encryption. Ask yourself, was the USB memory stick that you last used encrypted and password protected? If the answer is ‘no’ then you need to conduct an urgent cyber risk audit.

The failure to account for risk is not only cultural – from the selfie taker to the procurement manager, we don’t always appreciate risk – but it is also a result of the way that organisations operate.

The three key points should always be considered

It is hoped that the recent experiences will make us all far more risk aware. C-Suites need to change the way that they incentivise and manage their teams and ensure that their perspective including all three key elements: revenue, profit AND risk. Procurement managers need to appreciate risk and understand how buying decisions from relatively low-cost devices (encrypted drives don’t cost a lot more) to larger complex systems need to be taken with cybersecurity in mind.

With a risk-aware culture paying a small cyber-risk premium for everything from secure, encrypted devices to complex multi-cloud systems would be seen as a sensible investment, and CISOs would know that they’d be able to raise the alarm without being ignored.

Cultural change needed to make a difference

As a society we have never been as interconnected or as reliant on technology as we are now and therefore as vulnerable – especially with the threat landscape evolving and growing continually.

Leadership is required to change the way that the management team and all those below them behave and this kind of cultural shift towards greater risk appreciation, needs to come from the very top. A culture of digital ethics (including data privacy and security), needs to permeate all levels - from top to bottom. Organisations that have this culture of digital ethics, and that are risk aware, are not only less likely to experience a data breach but will also be better able to respond in the event of one.