Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned.
Speaking at the CBI Cyber Security Conference 2015 in central London this week, Martin Smith MBE, chairman and founder of The Security Company, and of the Security Awareness Special Interest Group, said that in many corporate hierarchies the importance of cyber-security safeguards was now understood by directors, senior executives and increasingly by rank-and-file IT system users.
However, sub-board-level middle-management is still unwilling to take on responsibility for implementing cyber-security policies at a departmental or team level, said Smith: "[They only want to] be measured by business performance and not cyber-security performance”.
Such intransigent middle-managers constitute “a crust of lethargy and resistance in the middle [of organisations],” Smith said and have yet to accept that cyber-security is no longer just a technology issue, but a business issue. “They are the ones who run the business”, he stressed.
The upper and lower ends of the corporate workforce have been successfully targeted by cyber-security awareness campaigns (such as the UK government's Get Safe Online and Cyber Essentials schemes) over the last five years, Smith explained. However, meanwhile middle-management has been less exposed to such educational messages directed at them.
Mid-ranking business managers “just do not understand the technology – and are apt to leave it to the IT function [to run],” Smith insisted and they ignore the fact that cyber-security is a “business issue that business managers should deal with”.
Smith also called for enterprises to better recognise that in terms of enterprise IT, there is “no such thing as a 'security' risk, only more business risks”.