Cyber security is a critical requirement for the organisation that has been neglected (Ernst & Young, 2014) by executive management in the past. Some of the reasons why they chose to ignore cyber security include low priority agenda, misunderstood responsibilities, complacencies;
The Management has many issues within the organisation, especially the agenda relevant to the organisation's economic success. Cybersecurity is thus set as a low-priority agenda and neglected.
In the past, executive management strongly felt that cyber security was the responsibility of the IT department as they targeted information assets. With the heightened global report of cyber security attacks, this threat warrants the attention of the executive management.
Organisations believe that a cyber security threat will not attack them or that their implemented security controls are sufficient to secure their information assets.
Unlike the traditional organisational risks, during the execution of Risk Analysis and Review and Business Impact Analysis, both the BCM and the cyber security team have difficulty in determining the associated impacts from the various cyber security threats. Hence, they lack the supporting information to make organisation-wide decisions.
The number of resources an organisation has access to is limited; the Management has difficulty allocating resources to improve cyber security within the organisation as when it is contending for other initiatives, they do not see it as a worthy investment.
Focusing on prevention or mitigation measures is wise. Some organisations prefer to implement response and recovery procedures to cyber security attacks. However, the over-investment in either mitigation or response procedures, while neglecting the other, is the downfall of specific organisations.
With the recent growing visibility of global cyber security attacks, executive management is beginning to take cyber security seriously. They have begun to see the importance of utilising program management processes, especially in the current situation, where cyber security threats evolve at unparalleled speeds regarding their complexity and impacts on organisations.
Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.2 Rationale for Lack of Cyber Security Prioritisation
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.