I was struck by the contrast between the piece below and a stream of recent reports on polls and surveys that seem to show again and again that IT and IS officers within businesses are still struggling to get their boards to take data protection and information security seriously enough.

If nearly 50% of all SME's genuinely believe that a serious cyber incident would mean the end of their business, how are we still seeing so many stories about the difficulty that CISO's have in persuading boards that there is a return on cyber-security investment? If almost half of businesses have already suffered a cyber-security incident, why is there so  much difficulty in persuading CEO's to implement even the most rudimentary security precautions to guard against future attacks?

To some extent, there is an understandable fatigue with these issues. Last year's GDPR push took up a lot of time and other resources for businesses (particularly those who didn't take data privacy terribly seriously before that) and the period of lull afterwards has tended to reinforce a suspicion that this was an unnecessary exercise. An overdose of "fear marketing" in the run up (those 4% of turnover fines seem to have been particularly poorly explained) is partially to blame I am sure. But I know that I am not alone in having encountered businesses who think that GDPR was a one-off exercise last year, and that having ticked that box off they shouldn't have to think about it any more. Perhaps they feel that because the sky hasn't fallen in, it wasn't worth worrying about it in the first place.

The truth, of course, is that in the over-lapping worlds of information security and data protection, the return on investment is that the sky stays where it belongs - life goes on. But "business as usual" is a perfectly laudable goal: stability supports profitability. Just because the pay-off is more intangible should not mislead businesses into thinking that it is not an area that is worthy of investment. As the reported study below shows, dropping the ball in this field could well be harmful to the trust your customers and staff place in you, and could even represent an existential challenge to your entire organisation.