From Boardroom Blindness to Business Breakdown

Question: Why companies remain hesitant to prioritize cybersecurity, despite clear business risks?

As an “experienced” cybersecurity consultant with two decades in the field, I witnessed the puzzling phenomenon where organizations continue to underinvest in cybersecurity despite mounting evidence of its critical importance. Even after all this time, I'm still surprised by how often the suggestions, advice and concepts that are being provided to customers are getting ignored by the people making the decisions. So, I started to summarize all the things in my had, speaking to people, discussing human-related implication in the cyber-wellness podcast, doing some research - and yes, arguing with my favorite AI bot.

This let’s call it flashbacks aka. “research” reveals an interplay of psychological, financial, organizational, and knowledge-based barriers that contribute to this persistent issue. While cyber threats have evolved dramatically and high-profile breaches regularly make headlines, many decision-makers still view cybersecurity as an IT problem rather than a business imperative that demands strategic attention.

This analysis aims to reveal the multifaceted reasons behind this hesitation and explores potential approaches to overcome these barriers….and maybe I just need this for my personal sanity-check.

So - hope you will find it somehow useful. At least, my psychotherapist will enjoy it :-)

1. The Knowledge Gap:

Cybersecurity as a Technical Black Box

One of the most fundamental barriers to cybersecurity prioritization I see, is the significant knowledge gap between technical experts and business leaders. Many executives and board members come from non-technical backgrounds, making it challenging for them to fully grasp cybersecurity complexities and risks.

Research from Ruhr University Bochum reveals a troubling power imbalance where board members often avoid asking questions about cybersecurity for fear of exposing themselves as IT novices. This ultimately makes boards highly dependent on those providing them with cybersecurity information, potentially compromising their oversight function. Cybersecurity risk becomes abstracted to mere budget decisions, with minimal board involvement in actual cybersecurity strategies (5). This knowledge asymmetry creates a situation where those responsible for resource allocation may not fully comprehend what they're protecting against or why specific investments are necessary.

The problem is worsened by the fact that there are not many experts in this field. According to Zscaler research, "many boards lack experience in cybersecurity, as members traditionally can come from nontechnical backgrounds. This makes oversight and engagement on cyber-related matters difficult, particularly with understanding related risks and making recommendations" (7). Without this expertise, boards struggle to effectively assess cybersecurity risks and allocate appropriate resources.

BUT from my experience, this knowledge gap extends beyond the boardroom. Many small business owners and managers across organizations lack awareness about cybersecurity threats and best practices. David Webb, a technology company owner who has helped businesses with cybersecurity since 1996, notes that "the lack of awareness around cybersecurity is a major issue"(1). Business owners often view cybersecurity as too complex or costly, placing it in the "too hard" basket despite the availability of relatively simple protective measures.

2. Financial Considerations:

The Cost Perception Dilemma

The perception of cybersecurity as a cost center rather than a business enabler is the next big-thing that significantly impacts investment decisions. Many organizations view cybersecurity spending as an expense that doesn't directly contribute to revenue or growth objectives.

According to GB Tech's analysis, cost concerns represent a major reason why business owners don't prioritize cybersecurity: "Investing in robust cybersecurity is expensive; there's no sugarcoating this, and budget constraints are a reality for many business owners, especially small and medium-sized ones. They might perceive cybersecurity as a non-essential expense, not realizing that the cost of a cyberattack could far outweigh the investment in preventive measures" (2). This short-term financial perspective fails to account for the potentially devastating long-term consequences of inadequate security.

Chris Wysopal, co-founder and CTO of a cybersecurity company, highlights the "penny-wise and pound-foolish" mentality many organizations adopt: "Organizations don't like spending money on preventative stuff. They don't want to overspend, so plenty of organizations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up"(9). Only after suffering a breach do many organizations realize they could have spent less on prevention than on incident response and recovery.

The challenge isn't necessarily a lack of available funds. One friendly CISO from a large international company with HQ in Germany observed and told me: "From what I have seen, the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities". This competition for resources often sees cybersecurity losing out to initiatives with more visible or immediate returns on investment.

3. The Risk Perception Problem:

Psychological Barriers to Action

The other topic that is got somehow completely ignored: Psychological barriers significantly influence how organizations perceive and respond to cybersecurity risks, too. Many business leaders operate under a false sense of security or downplay the likelihood of their organization becoming a target.

GB Tech identifies "misplaced confidence in existing systems" as a key reason for cybersecurity neglect: "Business owners often place unwarranted trust in their current systems. 'It won't happen to us' is a common refrain, underestimating cyber threats' sophisticated and evolving nature" (2). This cognitive bias leads to complacency and inadequate protection measures.

Similarly, many organizations underestimate the value of their data and digital assets to potential attackers. They mistakenly believe their business isn't an attractive target, failing to recognize that attackers often target smaller businesses precisely because they tend to have weaker security controls (2). You ever heard the phrase: “We are not a bank - nothing to get here”, during your consultation? This misperception of risk exposure leads to insufficient investment in protective measures.

The disconnect between perceived and actual risk creates a dangerous security gap. A research study from SMU's Darwin Deason Institute for Cyber Security found an interesting perception disparity:

• while 46 percent of interviewed subjects believe their organization is spending the right amount on cybersecurity,

• 64 percent reported that their peers were spending too little (8).

This suggests a widespread recognition of the industry-wide underinvestment problem, combined with a reluctance to acknowledge similar shortcomings within one's own organization.

4. Organizational Challenges:

Governance and Communication Barriers

In addition to all that - organizational structures and communication challenges create significant barriers to effective cybersecurity prioritization and implementation. The technical nature of cybersecurity creates a persistent communication gap between technical experts and business leaders.

Eva Pleger from cyber-wellness.io confirmed this widening divide: "Cyber pros are often deeply immersed in the technical aspects of security, while executives may not fully grasp the strategic implications”. This disconnect can lead to inadequate resource allocation, delayed decision-making, and ultimately, an increased vulnerability to cyberattacks, according to Security Info Watch (3). When cybersecurity professionals cannot effectively translate technical risks into business language, executives struggle to understand the true implications of security threats.

This communication breakdown goes both ways. While technical teams may fail to articulate risks in business terms, executives often don't engage deeply enough with security issues. According to Security Info Watch, executives "need to actively engage with their security teams, understand the risks, and prioritize cybersecurity investments based on the organization's overall business strategy" (13). I strongly believe: Without this engagement, cybersecurity remains isolated from broader business objectives.

Organizational silos further complicate the picture. Many companies treat cybersecurity as a purely technical issue, failing to recognize its cross-functional nature. As Technative points out: "For as long as they have tried to address the issue, most firms have simply treated it as a pure technical matter, to be resolved purely by technical means. Cybersecurity is more complex than that: Protecting the firm from cyberthreats requires the ability to reach across corporate silos, beyond IT, towards business and support functions, as well as digitalized supply chains"(16).

This siloed approach prevents the development of comprehensive security strategies aligned with business objectives.

Resource Allocation and Operational Challenges

Even when organizations recognize the importance of cybersecurity, operational challenges and resource constraints often impede effective implementation. Time constraints represent a significant barrier, particularly for small business owners.

David Webb notes that cyberattackers prey on busy people. Small business owners are often stretched thin, and that's when they're most exposed"(1). In today's fast-paced environment, business owners often find it challenging to prioritize cybersecurity when juggling a multitude of other responsibilities. As a result, security measures can end up overlooked or rushed through without the attention they truly need.

The shortage of skilled cybersecurity personnel presents another significant challenge. The SMU Darwin Deason Institute study found that "while most of those surveyed said getting funding for their cybersecurity efforts is not a hurdle, many executives talked about the difficulty they experience in finding and hiring skilled cybersecurity personnel" (8). This talent shortage means that even organizations willing to invest in cybersecurity may struggle to build and maintain effective security teams.

The sheer complexity of the cybersecurity landscape overwhelms many organizations. For those not deeply versed in technology, this can be overwhelming. This complexity can lead to a kind of decision paralysis, where business owners prefer to stick to the status quo rather than navigate the confusing and complex landscape of cybersecurity". This complexity extends to operational aspects like software updates, with many organizations delaying critical security patches due to concerns about disruption or compatibility issues (12).

The Shift to Proactive Risk Management:

Signs of Progress?

Despite these persistent challenges, I think there are some encouraging signs of evolution in how organizations approach cybersecurity. A number of executives are rethinking their strategies for managing and investing in cybersecurity. They are shifting away from narrow, reactive methods and are instead embracing comprehensive risk management frameworks.

The study (8) revealed several positive trends:

• More than 80 percent of executives reported broad and increasing support among senior-level management and corporate boards for cybersecurity efforts

• Eighty-eight percent of respondents reported increased security budgets

• The majority cited news coverage of large security breaches as driving that support

This suggests a gradual shift toward more proactive, risk-based approaches to cybersecurity as organizations witness the consequences of inadequate security through high-profile incidents. Additionally, regulatory pressures and increased board accountability for cybersecurity are driving greater attention to these issues at the executive level.

Overcoming the Hesitation:

Strategies for Progress

What’s next? Addressing the persistent hesitation to prioritize cybersecurity requires a multifaceted approach that tackles knowledge gaps, financial perceptions, risk awareness, and organizational barriers simultaneously. This goes far beyond the traditional consultative approach and needs a much broader skill set.

Let’s start with the arguably “easiest” one: Communication. Improving communication between technical and business stakeholders is essential. Cybersecurity professionals must learn to communicate effectively with executives, "translating technical jargon into business language and highlighting the impact of security on the bottom line" (13). By framing cybersecurity in terms of business value and risk management rather than technical details, security leaders can make more compelling cases for investment.

Enhancing to this, board-level cyber expertise represents another crucial step. Dedicated time with CISOs and other security executives can provide boards with essential knowledge about organizational cybersecurity strategies, vulnerabilities, and the external threat landscape. Some organizations are also addressing this by creating dedicated cybersecurity committees or appointing board members with cybersecurity backgrounds.

Shifting the financial perception of cybersecurity from cost to investment requires demonstrating the business value of security measures. As CyberSaint notes, "An investment that increases your resiliency by 30% will be much easier to fund than a confusing technical detection platform with unknown results" (15). By quantifying the potential impact of cybersecurity failures and the value of preventive measures in business terms, security leaders can make more compelling business cases for investment.

Finally, integrating cybersecurity into broader business strategy represents the most fundamental shift needed. Cybersecurity needs to be treated as a business challenge rather than a purely technical issue. This requires leadership from top executives who understand both the business and security implications of digital transformation, as well as organizational structures that facilitate collaboration between security and business functions.

My conclusion:

Bridging the Divide for Organizational Resilience

So if I’m trying to conclude (if this is somehow even possible): Despite the clear risks to businesses, many organizations still (and will) continue to hesitate when it comes to prioritizing cybersecurity. This reluctance often stems from a mix of factors like:

• including gaps in knowledge,

• budget constraints,

• psychological resistance,

• and internal organizational challenges.

Tackling these issues effectively requires a comprehensive approach—one that shifts cybersecurity from being seen as just a technical issue to being recognized as a core business priority.

As cyber threats grow more sophisticated and damaging, companies that fail to address these challenges put themselves at increasing risk. The financial, operational, and reputational fallout from a major security breach can be far more costly than the investment required for preventive measures. Yet, many organizations still struggle to turn this understanding into meaningful action.

For cybersecurity professionals and consultants, this means: recognizing these barriers is crucial to advocating for stronger security measures. By bridging the gap between technical requirements and business goals, framing security risks in a way that resonates with decision-makers, and demonstrating the tangible return on investment for cybersecurity efforts, these experts can help organizations move past hesitation and take proactive steps to protect themselves.

The way forward is to integrate cybersecurity into the broader business strategy—transforming it from a specialized IT concern into a fundamental component of an organization’s overall resilience. Only by adopting this mindset can businesses build the level of cyber preparedness necessary to navigate today’s increasingly digital and threat-filled landscape.

Let's wrap this up with a bow of inevitability, shall we?

(and I will speak of top of my head - unfiltered):

So there we have it—the classic cybersecurity conundrum where businesses acknowledge the threat with one hand while frantically searching for the snooze button with the other. It's like watching someone install a state-of-the-art home security system but leaving the front door wide open because, hey, who has time to turn that pesky key?

The truth is, waiting until after a breach to take cybersecurity seriously is like deciding to invest in swimming lessons while you're actively drowning. Not exactly the optimal timing, I HOPE you agree! And yet, here we are, watching organizations clutch their pearls at cybersecurity budgets while simultaneously planning for the inevitable "unexpected" data breach PR nightmare.

Perhaps what we really need isn't another security framework or fancy technology, but a reality check delivered with enough force to penetrate the corporate bubble of "it won't happen to us." Because when that cyberattack inevitably strikes—and trust me, it's a matter of when, not if—suddenly those "excessive" security costs will look like the bargain of the century compared to the smoking ruins of your company's reputation and bottom line.

The path forward isn't rocket science: it's about making cybersecurity as fundamental to your business as having electricity in the office. After all, what good is saving money on security if you're just setting it aside for future ransomware payments?

The choice is yours—invest wisely now or explain to stakeholders later why your company name is trending alongside words like "breach," "compromise," and "should have known better." I know which conversation I'd rather have.

---

Citations:

1. https://news.nab.com.au/news/how-cyber-attacks-are-preying-on-time-poor-business-owners/

2. https://www.gbtech.net/the-six-reasons-why-business-owners-dont-care-about-cybersecurity/

3. https://www.linkedin.com/pulse/why-do-companies-wait-until-after-cyber-attack-act-ron-klink-nngfe

4. https://www.differential.vc/news/why-its-hard-to-invest-in-cybersecurity

5. https://www.ndss-symposium.org/ndss-paper/where-are-we-on-cyber-a-qualitative-study-on-boards-cybersecurity-risk-decision-making/

6. https://www.bcg.com/publications/2024/the-cybersecure-ceo

7. https://www.zscaler.com/cxorevolutionaries/insights/6-common-challenges-boards-face-overseeing-cybersecurity-change

8. https://www.smu.edu/news/archives/2015/smu-deason-cybersecurity-risk-study-27oct2015

9. https://www.zdnet.com/article/too-many-bosses-are-reluctant-to-spend-money-on-cybersecurity-then-they-get-hacked/

10. https://www.eesc.europa.eu/sites/default/files/files/qe-01-18-515-en-n.pdf

11. https://hackernoon.com/cybersecurity-neglect-the-silent-killer-of-businesses

12. https://www.library.hbs.edu/working-knowledge/why-companies-shouldnt-delay-software-updates-even-after-crowdstrikes-flaw

13. https://www.securityinfowatch.com/cybersecurity/article/55125872/the-widening-gap-between-cyber-pros-and-ceos-bridging-the-divide-to-mitigate-security-risks

14. https://strobes.co/blog/why-ignoring-vulnerability-prioritization-is-a-cisos-worst-nightmare/

15. https://www.cybersaint.io/blog/how-to-sell-cyber

16. https://technative.io/cybersecurity-the-what-the-how-and-the-who-of-change/

17. https://www.forbes.com/councils/forbestechcouncil/2023/08/16/cybersecurity-as-a-strategic-investment-how-roi-optimization-can-lead-to-a-more-secure-future/

18. https://academic.oup.com/cybersecurity/article/9/1/tyad018/7246580

19. https://cyberwatching.eu/node/104

20. https://www.thebci.org/news/bcaw-2023-why-do-businesses-and-organizations-fail-to-prevent-cyber-attacks.html

21. https://www.marketplace.org/2017/09/11/why-do-companies-wait-so-long-tell-us-weve-been-hacked/

22. https://www.unpri.org/governance-issues/investor-company-dialogue-on-cyber-security-five-emerging-findings/3664.article

23. https://www.linkedin.com/pulse/power-decision-making-cybersecurity-michael-collins-fhuze

24. https://www.cybersaint.io/blog/why-would-my-startup-be-at-risk-for-cybersecurity

25. https://www.cybernet.com/you-know-what-really-grinds-my-gears-the-persistent-neglect-of-cybersecurity/

26. https://www.sectechsolutions.co.uk/post/the-cost-of-waiting-why-smbs-cant-afford-to-delay-cybersecurity-hiring

27. https://frankfurt-main-finance.com/en/increased-investment-in-cyber-security-required/

28. https://www.routledge.com/Cybersecurity-for-Decision-Makers/Vajjhala-Strang/p/book/9781032334974

29. https://www.asisonline.org/security-management-magazine/articles/2023/12/cyber-incident-response/Cyber-skill-gap-CEOs/

30. https://www.infosecurity-magazine.com/blogs/state-cybersecurity-challenges/

31. https://www.linkedin.com/advice/1/youre-facing-resistance-from-executives-security-pmvlc

32. https://www.linkedin.com/pulse/roi-cybersecurity-how-smart-investments-save-millions-michael-benis-ccqge

33. https://www.oliverwyman.com/our-expertise/perspectives/health/2024/march/it-is-time-to-elevate-cybersecurity-to-the-ceo-agenda.html

34. https://congreso.america-digital.com/the-new-challenges-of-cybersecurity-obstacles-and-solutions-for-organizations/?lang=en

35. https://www.eib.org/attachments/lucalli/20220206-european-cybersecurity-investment-platform-en.pdf

36. https://www.metricstream.com/learn/secure-cloud-strategic-priorities-cyber-risk.html

37. https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html

38. https://www.reddit.com/r/cybersecurity/comments/rb8yn4/bosses_are_reluctant_to_spend_money_on/

---

Comments

[Michael Oberlaender]

Great analysis and conclusion Nermin! The communication gap between boards, C-suite, and CISOs is a key problem (see my own talk yesterday here: https://www.linkedin.com/posts/mymso_communication-gap-cisos-boards-activity-7305346073798090753-eAnX).

I like your conclusion about the integration with the business strategy - I shared the exact same advice in there! Certainly no coincidence but rather proof that this is in quintessence the only path forward to make cybersecurity what it really is: a business challenge that requires constant attention, nutrition, care, and prioritization to avoid total disruption and business losses.

Best wishes,

Michael Oberlaender