There seems to be many organisations who speak a good game in press releases, board packs and similar visible public platforms – but show a very different face behind the scenes. I find it of deep concern that ICT risk is typically not escalated to the executive team, including the CFO. The more valuable a businesses’ intellectual property is, the higher the chances that cyber criminals will try to get their hands on it, and this is a business problem, not a technology problem.

The most deadly and damaging attacks today are aimed specifically at an organisation’s data, people, systems, and vulnerabilities. Attacks are more sophisticated than ever before, and more cunning and stealthy.

So how do we explain the phenomenon that when we identify the risk – it is not acted on? Is this because the ICT team feel that if they bring the risk out in the open they may lose face; or even worse – their job? Is it that there is not enough “pressure” actually placed on the business at the highest level to address ICT risks or are we simply dealing with severe cases of denial – if we deny the fact we are exposed to risk; then hopefully it will go away?