Compliance

Cyber security isn’t IT 5 key dangers

We explore 5 key dangers caused by thinking of cyber security as an IT function and how it puts businesses at risk.

Joe A. J. Beaumont Headshot

Joe A. J. Beaumont Chief Security Evangelist

25/05/2023 4 min read

Introduction

Many businesses still think of cyber security as an IT function - it’s one of the most enduring myths we face in the industry. This is bad news. Cyber security is not just an IT problem: it is a business problem. Cyber security is risk, and risk is a business issue. Cyber is so much more than a collection of IT controls, yet it’s an uphill battle to get it seen as anything else. This article will explore 5 key dangers caused by thinking of cyber security as an IT function and how it puts businesses at risk.

Share this Article

1 Siloed thinking creates unknowns

Thinking of cyber security as an IT function leads to a siloed approach to security. In many businesses, the IT department is responsible for security, and other departments are not involved in the decision-making process. This siloed approach means that other departments aren’t aware of the security risks they themselves face, nor how to mitigate them. It also means that the IT department may not have access to all the information they need to make informed decisions about cyber security.

This siloed approach can be particularly problematic when it comes to managing third-party risks. Third-party vendors and suppliers is the norm, and these vendors can be a significant source of cyber security risks through the supply chain. However, if other departments are not involved in the decision-making process, they may not be aware of the third-party risks or how to manage them. As a result, the business may be exposed to significant cyber security risks that could have been avoided.

2 Reactive vs. proactive security

The ‘cyber is IT’ myth also leads to a reactive approach to security. Many businesses wait until they experience a cyber attack or data breach before taking cyber security seriously. This reactive approach means that businesses are always playing catch up, and they may not be able to recover from a significant cyber attack. Ransomware in particular is easy for cyber criminals to do en masse, and it’s great at wiping out businesses. Many data breaches happen without businesses even being aware.

A proactive approach to cyber security involves identifying and mitigating risks before they turn into problems. Regular vulnerability scanning is cheap and easy, and, these days, regular penetration testing is seen as the norm. A proactive security approach needs buy-in and involvement from all departments. Ideally, a culture of security awareness too – but that’s a different challenge itself. By taking a proactive approach to cyber security, businesses can stay ahead of the curve and minimise the risk of a cyber attack or data breach.

10 Point Security Checklist 10 Point Security Checklist

Download Free 10-point security checklist

Learn everything you need to know to take your cyber security strategy from zero to hero. Boost your security defences & plan your strategy with our free 10-point security checklist

Download the checklist now

3 Lack of accountability

Thinking of security as an IT function leads to a lack of accountability. If cyber security is made the responsibility of the IT team, other departments aren’t going to feel responsible for security. This lack of accountability means that cyber risks will be overlooked or ignored. It also means that if a data breach does occur, the blame is placed solely on the IT department, rather than the business as a whole. The ‘blame game’ culture is one of the most underrated threats to your business security.

Instead, work to install a culture of accountability, rather than blame. All employees need to understand their role in protecting the business from cyber attacks and data breaches, they need to be aware of the risks and how to mitigate them, and they need to be held accountable for any security lapses or mistakes. How? Well, annual security training is usually a good start.

4 Underinvestment

A lack of investment in cyber security is a common outcome of treating it as an IT function. If it’s seen as an IT problem, it only gets a part of the always-stretched IT budget. And this means inadequate security measures. Cyber security requires investment in IT tech, of course, but it also needs personnel, process and training. Getting board-buy in is essential for this, and is one of the things a CISO, or virtual CISO, can help with.

5 Low understanding of risk

Thinking of cyber security as an IT function can lead to a lack of understanding of the risks it presents. This applies in broad strokes at the C-level, and in narrower terms of user behaviour. For example, non-IT employees (and really, even some IT employees) may not be aware of the various cyber threats that the business faces or how to protect against them. As a result, they may unintentionally put the business at risk by engaging in risky behaviour, such as using weak passwords or clicking on suspicious links.

It's essential to provide all employees with cyber security training to ensure that they understand the risks and how to mitigate them. This training should cover topics such as password hygiene, email phishing, and social engineering. It should also emphasise the importance of reporting any suspicious activity to the IT department.


Key takeaways

Involve all departments in the cyber security strategy: cyber is not just an IT problem – it affects all areas of the business. Therefore, it's crucial to involve all departments in the decision-making process to ensure your business is adequately protected.

  1. 1

    Take a proactive approach to cyber security

    Identify and mitigate risks before they turn into problems. Establish a culture of security awareness and involve all employees in the cyber security strategy.

  2. 2

    Establish a culture of accountability

    All employees need to understand their role in protecting the business from cyber attacks and data breaches. They need to be aware of the risks and how to mitigate them. They also need to be held accountable for any security lapses or mistakes.

  3. 3

    Invest in cyber security

    Cyber security requires investment in technology, personnel, process and training. If businesses don’t invest in cyber, you’re lining yourself for up cyber attacks and data breaches.

  4. 4

    Understand risk

    From the strategic board decisions to the everyday end user actions, every part of your business needs to understand the very real risk that cyber security places on your business, and what you need to do about them.

Joe A. J. Beaumont Headshot

Meet the author

Joe A. J. Beaumont Chief Security Evangelist

Joe is a blogger and security evangelist who’s been raising the profile of cyber security for a decade. He writes about a variety of cyber and compliance topics, with a keen eye on translating events and data into valuable customer insights. Never boring, sometimes controversial, always insightful.

Get vital cyber strategy support with a virtual CISO

Our experienced virtual CISOs give you senior strategy support on and as-and-when basis.

Find out more

Related resources


Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.